diff --git a/browserid/lib/ca.js b/browserid/lib/ca.js
index 9aee7cacf8965fb8591b4bb81153bcf3b3a79b28..2c4cee8d34d0a911708026cea5f65d21eeb72fe0 100644
--- a/browserid/lib/ca.js
+++ b/browserid/lib/ca.js
@@ -57,18 +57,22 @@ function parseCert(serializedCert) {
 }
 
 function certify(email, publicKey, expiration) {
-  return new jwcert.JWCert(HOSTNAME, new Date(), publicKey, {email: email}).sign(secrets.SECRET_KEY);
+  if (expiration == null)
+    throw "expiration cannot be null";
+  return new jwcert.JWCert(HOSTNAME, expiration, publicKey, {email: email}).sign(secrets.SECRET_KEY);
 }
 
 function verifyChain(certChain, cb) {
   // raw certs
-  return jwcert.JWCert.verifyChain(certChain, function(issuer, next) {
-    // for now we only do browserid.org issued keys
-    if (issuer != HOSTNAME)
-      return next(null);
-
-    next(secrets.PUBLIC_KEY);
-  }, cb);
+  return jwcert.JWCert.verifyChain(
+    certChain, new Date(),
+    function(issuer, next) {
+      // for now we only do browserid.org issued keys
+      if (issuer != HOSTNAME)
+        return next(null);
+      
+      next(secrets.PUBLIC_KEY);
+    }, cb);
 }
 
 // exports, not the key stuff
diff --git a/browserid/lib/wsapi.js b/browserid/lib/wsapi.js
index c52ca320957397e05d0e2a4c6ac2c20a2afe1c3e..f26ea4822e0664e21a89e6337348877d79abffce 100644
--- a/browserid/lib/wsapi.js
+++ b/browserid/lib/wsapi.js
@@ -303,7 +303,11 @@ function setup(app) {
       var pk = ca.parsePublicKey(req.body.pubkey);
 
       // same account, we certify the key
-      var cert = ca.certify(req.body.email, pk);
+      // we certify it for a day for now
+      var expiration = new Date();
+      expiration.setTime(new Date().valueOf() + (24*3600*1000));
+      var cert = ca.certify(req.body.email, pk, expiration);
+      
       resp.writeHead(200, {'Content-Type': 'text/plain'});
       resp.write(cert);
       resp.end();
diff --git a/browserid/tests/ca-test.js b/browserid/tests/ca-test.js
index 2e9bdcd54722e8c52da458090bd8a5a508c2b795..58841957aec1115a1c305b9ac466caf5fef61523 100755
--- a/browserid/tests/ca-test.js
+++ b/browserid/tests/ca-test.js
@@ -61,7 +61,9 @@ var email_addr = "foo@foo.com";
 suite.addBatch({
   "certify a public key": {
     topic: function() {
-      return ca.certify(email_addr, kp.publicKey);
+      var expiration = new Date();
+      expiration.setTime(new Date().valueOf() + 5000);
+      return ca.certify(email_addr, kp.publicKey, expiration);
     },
     "parses" : function(cert_raw, err) {
       var cert = ca.parseCert(cert_raw);
diff --git a/verifier/lib/certassertion.js b/verifier/lib/certassertion.js
index c2f88a1b81da46ea78c74687149cce1840a45451..30005bb0c7ab2ad412f260c907b34c504a19b934 100644
--- a/verifier/lib/certassertion.js
+++ b/verifier/lib/certassertion.js
@@ -142,34 +142,37 @@ function verify(assertion, audience, successCB, errorCB, pkRetriever) {
   var bundle = vep.unbundleCertsAndAssertion(assertion);
 
   var theIssuer;
-  jwcert.JWCert.verifyChain(bundle.certificates, function(issuer, next) {
-    theIssuer = issuer;
-    // allow other retrievers for testing
-    if (pkRetriever)
-      pkRetriever(issuer, next);
-    else
-      retrieveHostPublicKey(issuer, next, function(err) {next(null);});
-  }, function(pk, principal) {
-    // primary?
-    if (theIssuer != configuration.get('hostname')) {
-      // then the email better match the issuer
-      if (!principal.email.match("@" + theIssuer + "$"))
+  jwcert.JWCert.verifyChain(
+    bundle.certificates,
+    new Date(), function(issuer, next) {
+      theIssuer = issuer;
+      // allow other retrievers for testing
+      if (pkRetriever)
+        pkRetriever(issuer, next);
+      else
+        retrieveHostPublicKey(issuer, next, function(err) {next(null);});
+    }, function(pk, principal) {
+      // primary?
+      if (theIssuer != configuration.get('hostname')) {
+        // then the email better match the issuer
+        console.log(principal);
+        if (!principal.email.match("@" + theIssuer + "$"))
+          return errorCB();
+      }
+      
+      var tok = new jwt.JWT();
+      tok.parse(bundle.assertion);
+      
+      // audience must match!
+      if (tok.audience != audience)
         return errorCB();
-    }
-
-    var tok = new jwt.JWT();
-    tok.parse(bundle.assertion);
-
-    // audience must match!
-    if (tok.audience != audience)
-      return errorCB();
-    
-    if (tok.verify(pk)) {
-      successCB(principal.email, tok.audience, tok.expires);
-    } else {
-      errorCB();
-    }
-  }, errorCB);
+      
+      if (tok.verify(pk)) {
+        successCB(principal.email, tok.audience, tok.expires);
+      } else {
+        errorCB();
+      }
+    }, errorCB);
 }