diff --git a/CHANGELOG b/CHANGELOG
index 38a8db662..e25775853 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -31,6 +31,10 @@ o New UDP payloads:
 
 o [Ncat][GH#2154] Ncat no longer crashes when used with Unix domain sockets.
 
+o [Ncat][GH#2167][GH#2168] Ncat is now again generating certificates
+  with the duration of one year. Due to a bug, recent versions of Ncat were
+  using only one minute. [Tobias Girstmair]
+
 o [NSE][GH#2174] Script hostmap-crtsh got improved in several ways. The most
   visible are that certificate SANs are properly split apart and that
   identities that are syntactically incorrect to be hostnames are now ignored.
diff --git a/ncat/ncat_ssl.c b/ncat/ncat_ssl.c
index dc1db31bb..093c35403 100644
--- a/ncat/ncat_ssl.c
+++ b/ncat/ncat_ssl.c
@@ -530,7 +530,7 @@ static int ssl_gen_cert(X509 **cert, EVP_PKEY **key)
             || X509_gmtime_adj(tb, 0) == 0
             || X509_set1_notBefore(*cert, tb) == 0
             || (ta = ASN1_STRING_dup(X509_get0_notAfter(*cert))) == 0
-            || X509_gmtime_adj(ta, 60) == 0
+            || X509_gmtime_adj(ta, DEFAULT_CERT_DURATION) == 0
             || X509_set1_notAfter(*cert, ta) == 0
             || X509_set_pubkey(*cert, *key) == 0) {
             ASN1_STRING_free(tb);