diff --git a/bin/tests/system/statschannel/ns2/sign.sh b/bin/tests/system/statschannel/ns2/sign.sh
index 77bcd41de6..a66e81c22f 100644
--- a/bin/tests/system/statschannel/ns2/sign.sh
+++ b/bin/tests/system/statschannel/ns2/sign.sh
@@ -19,8 +19,8 @@ set -e
 zone=dnssec.
 infile=dnssec.db.in
 zonefile=dnssec.db.signed
-ksk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone")
-zsk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
+ksk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -L 3600 -b "$DEFAULT_BITS" -f KSK "$zone")
+zsk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -L 3600 -b "$DEFAULT_BITS" "$zone")
 # Sign deliberately with a very short expiration date.
 "$SIGNER" -P -S -x -O full -e "now"+1s -o "$zone" -f "$zonefile" "$infile" >"signzone.out.$zone" 2>&1
 id=$(keyfile_to_key_id "$ksk")
@@ -31,12 +31,12 @@ echo "$DEFAULT_ALGORITHM_NUMBER+$id" >dnssec.zsk.id
 zone=manykeys.
 infile=manykeys.db.in
 zonefile=manykeys.db.signed
-ksk8=$("$KEYGEN" -q -a RSASHA256 -b 2048 -f KSK "$zone")
-zsk8=$("$KEYGEN" -q -a RSASHA256 -b 2048 "$zone")
-ksk13=$("$KEYGEN" -q -a ECDSAP256SHA256 -b 256 -f KSK "$zone")
-zsk13=$("$KEYGEN" -q -a ECDSAP256SHA256 -b 256 "$zone")
-ksk14=$("$KEYGEN" -q -a ECDSAP384SHA384 -b 384 -f KSK "$zone")
-zsk14=$("$KEYGEN" -q -a ECDSAP384SHA384 -b 384 "$zone")
+ksk8=$("$KEYGEN" -q -a RSASHA256 -L 3600 -b 2048 -f KSK "$zone")
+zsk8=$("$KEYGEN" -q -a RSASHA256 -L 3600 -b 2048 "$zone")
+ksk13=$("$KEYGEN" -q -a ECDSAP256SHA256 -L 3600 -b 256 -f KSK "$zone")
+zsk13=$("$KEYGEN" -q -a ECDSAP256SHA256 -L 3600 -b 256 "$zone")
+ksk14=$("$KEYGEN" -q -a ECDSAP384SHA384 -L 3600 -b 384 -f KSK "$zone")
+zsk14=$("$KEYGEN" -q -a ECDSAP384SHA384 -L 3600 -b 384 "$zone")
 # Sign deliberately with a very short expiration date.
 "$SIGNER" -S -x -O full -e "now"+1s -o "$zone" -f "$zonefile" "$infile" >"signzone.out.$zone" 2>&1
 id=$(keyfile_to_key_id "$ksk8")