diff --git a/lib/browserid/views.js b/lib/browserid/views.js
index 93de723d3166c5e8c33345911f9a9a7b97705ab4..d4dbd13e84414386eff4d5dc20acfaddce70431e 100644
--- a/lib/browserid/views.js
+++ b/lib/browserid/views.js
@@ -104,7 +104,7 @@ exports.setup = function(app) {
   }
 
   try {
-    const publicKey = secrets.loadPublicKey('root', config.get('var_path'));
+    const publicKey = secrets.loadPublicKey();
   } catch(e){
     logger.error("can't read public key, exiting: " + e);
     setTimeout(function() { process.exit(1); }, 0);
diff --git a/lib/keysigner/ca.js b/lib/keysigner/ca.js
index 6ef88224fd092570a56cc64294a4ced08bc24c44..5ae54a7dbfa5fe60e954fb87b05236851a141098 100644
--- a/lib/keysigner/ca.js
+++ b/lib/keysigner/ca.js
@@ -50,8 +50,8 @@ logger.info("Certs will be issued from: " + HOSTNAME);
 
 
 try {
-  const secret_key = secrets.loadSecretKey('root', config.get('var_path'));
-  const public_key = secrets.loadPublicKey('root', config.get('var_path'));
+  const secret_key = secrets.loadSecretKey();
+  const public_key = secrets.loadPublicKey();
 } catch(e){
   logger.error("can't read keys, exiting: " + e);
   setTimeout(function() { process.exit(1); }, 0);
diff --git a/lib/secrets.js b/lib/secrets.js
index b3ca9ad06b5502a2b8b95de295e1a584c207a9ef..1dffcad9f01dee38e71acf309259d98ffce712ba 100644
--- a/lib/secrets.js
+++ b/lib/secrets.js
@@ -47,9 +47,21 @@ exports.generate = function(chars) {
   return str;
 }
 
+// functions to set defaults
+
+// default key name is 'root'
+function checkName(name) {
+  return name ? name : 'root';
+}
+
+// default directory is the var dir.
+function checkDir(dir) {
+  return dir ? dir :  require('./configuration').get('var_path');
+}
+
 exports.hydrateSecret = function(name, dir) {
+  dir = checkDir(dir);
   var p = path.join(dir, name + ".sekret");
-  var fileExists = false;
   var secret = undefined;
 
   try{ secret = fs.readFileSync(p).toString(); } catch(e) {};
@@ -64,8 +76,9 @@ exports.hydrateSecret = function(name, dir) {
 };
 
 exports.loadSecretKey = function(name, dir) {
+  name = checkName(name);
+  dir = checkDir(dir);
   var p = path.join(dir, name + ".secretkey");
-  var fileExists = false;
   var secret = undefined;
 
   // may throw
@@ -79,9 +92,18 @@ exports.loadSecretKey = function(name, dir) {
   return jwk.SecretKey.deserialize(secret);
 }
 
+exports.publicKeyCreationDate = function(name, dir) {
+  name = checkName(name);
+  dir = checkDir(dir);
+  var p = path.join(dir, name + ".publickey");
+  var stats = fs.statSync(p);
+  return stats.ctime;
+};
+
 exports.loadPublicKey = function(name, dir) {
+  name = checkName(name);
+  dir = checkDir(dir);
   var p = path.join(dir, name + ".publickey");
-  var fileExists = false;
   var secret = undefined;
 
   // may throw
diff --git a/lib/verifier/certassertion.js b/lib/verifier/certassertion.js
index 23d3dc9bbdb3a8f35ac2931dda02b780689363f6..e7beb9c8fa0cedc21bdb33e16be1b87b16d7f2ae 100644
--- a/lib/verifier/certassertion.js
+++ b/lib/verifier/certassertion.js
@@ -54,7 +54,7 @@ const HOSTMETA_URL = "/.well-known/host-meta";
 var publicKeys = {};
 
 try {
-  const publicKey = secrets.loadPublicKey('root', config.get('var_path'));
+  const publicKey = secrets.loadPublicKey();
 } catch(e){
   logger.error("can't read public key, exiting: " + e);
   setTimeout(function() { process.exit(1); }, 0);
diff --git a/lib/wsapi/session_context.js b/lib/wsapi/session_context.js
index 3a73014ef5abf64970a79db1343687d50715df39..f941f002542bd10578d30490e39544a0d88543a8 100644
--- a/lib/wsapi/session_context.js
+++ b/lib/wsapi/session_context.js
@@ -2,7 +2,8 @@ const
 db = require('../db.js'),
 logger = require('../logging.js').logger,
 crypto = require('crypto'),
-wsapi = require('../wsapi.js');
+wsapi = require('../wsapi.js'),
+secrets = require('../secrets.js');
 
 // return the CSRF token, authentication status, and current server time (for assertion signing)
 // IMPORTANT: this is safe because it's only readable by same-origin code
@@ -11,6 +12,10 @@ exports.method = 'get';
 exports.writes_db = false;
 exports.authed = false;
 
+// determine the domain key creation date - issue #599
+const domainKeyCreationDate = secrets.publicKeyCreationDate();
+logger.debug("domain key was created at " + domainKeyCreationDate + " (certs issued prior to this are bogus)");
+
 exports.process = function(req, res) {
   if (typeof req.session == 'undefined') {
     req.session = {};
@@ -29,7 +34,8 @@ exports.process = function(req, res) {
     res.json({
       csrf_token: req.session.csrf,
       server_time: (new Date()).getTime(),
-      authenticated: auth_status
+      authenticated: auth_status,
+      domain_key_creation_date: domainKeyCreationDate.getTime()
     });
   };