According to the docs, "exprity-time="timespec" needs to be an absolute date/time, and canot be relative.
Am I misunderstanding this ? Or perhaps there is an alternative way to do what I want to achieve, namely to enforce maximum validity of a user's cert being presented to the server (i.e. to prevent users connecting using "forever" certificates). Thanks ! Rachel