diff -U0 openssh-6.4p1/ChangeLog.ssh-keygen-V openssh-6.4p1/ChangeLog

--- openssh-6.4p1/ChangeLog.ssh-keygen-V	2014-01-28 11:07:41.374758458 +0100

+++ openssh-6.4p1/ChangeLog	2014-01-28 11:14:38.172631130 +0100

@@ -0,0 +1,7 @@

+20131023

+   - djm@cvs.openbsd.org 2013/10/23 04:16:22

+     [ssh-keygen.c]

+     Make code match documentation: relative-specified certificate expiry time

+     should be relative to current time and not the validity start time.

+     Reported by Petr Lautrbach; ok deraadt@

+

diff -up openssh-6.4p1/ssh-keygen.c.ssh-keygen-V openssh-6.4p1/ssh-keygen.c

--- openssh-6.4p1/ssh-keygen.c.ssh-keygen-V	2014-01-28 11:07:41.365758505 +0100

+++ openssh-6.4p1/ssh-keygen.c	2014-01-28 11:07:41.375758453 +0100

@@ -1747,7 +1747,7 @@ parse_cert_times(char *timespec)

 		cert_valid_from = parse_absolute_time(from);

 	if (*to == '-' || *to == '+')

-		cert_valid_to = parse_relative_time(to, cert_valid_from);

+		cert_valid_to = parse_relative_time(to, now);

 	else

 		cert_valid_to = parse_absolute_time(to);