diff --git a/include/opendht/crypto.h b/include/opendht/crypto.h
index f961c59e415170850456eed1ef71146f6c7f2014..5fb9ae178b963ec508a452d15191bbc0ae0603c3 100644
--- a/include/opendht/crypto.h
+++ b/include/opendht/crypto.h
@@ -333,6 +333,7 @@ class OPENDHT_PUBLIC RevocationList
 {
     using clock = std::chrono::system_clock;
     using time_point = clock::time_point;
+    using duration = clock::duration;
 public:
     RevocationList();
     RevocationList(const Blob& b);
@@ -365,8 +366,9 @@ public:
 
     /**
      * Sign this revocation list using provided key and certificate.
+     * Validity_period sets the duration until expiration (default to certificate expiration).
      */
-    void sign(const PrivateKey&, const Certificate&);
+    void sign(const PrivateKey&, const Certificate&, duration validity_period = {});
     void sign(const Identity& id) { sign(*id.first, *id.second); }
 
     bool isSignedBy(const Certificate& issuer) const;
diff --git a/src/crypto.cpp b/src/crypto.cpp
index c00781bc0ee60ceacdc9c94a4f5a8260da910478..784ce0f93ae866ee1b384560f78f2565c6d1246f 100644
--- a/src/crypto.cpp
+++ b/src/crypto.cpp
@@ -976,12 +976,12 @@ T endian(T w, Endian endian = Endian::BIG)
 }
 
 void
-RevocationList::sign(const PrivateKey& key, const Certificate& ca)
+RevocationList::sign(const PrivateKey& key, const Certificate& ca, duration validity)
 {
     if (auto err = gnutls_x509_crl_set_version(crl, 2))
         throw CryptoException(std::string("Can't set CRL version: ") + gnutls_strerror(err));
     auto now = std::chrono::system_clock::now();
-    auto next_update = now + std::chrono::hours(24*7);
+    auto next_update = (validity == duration{}) ? ca.getExpiration() : now + validity;
     if (auto err = gnutls_x509_crl_set_this_update(crl, std::chrono::system_clock::to_time_t(now)))
         throw CryptoException(std::string("Can't set CRL update time: ") + gnutls_strerror(err));
     if (auto err = gnutls_x509_crl_set_next_update(crl, std::chrono::system_clock::to_time_t(next_update)))