diff --git a/internal/registry/loginrequest/rest.go b/internal/registry/loginrequest/rest.go
index afa0cb91..c645a640 100644
--- a/internal/registry/loginrequest/rest.go
+++ b/internal/registry/loginrequest/rest.go
@@ -138,10 +138,11 @@ func (r *REST) Create(ctx context.Context, obj runtime.Object, createValidation
 		return failureResponse(), nil
 	}
 
+	expires := metav1.NewTime(time.Now().UTC().Add(clientCertificateTTL))
 	return &placeholderapi.LoginRequest{
 		Status: placeholderapi.LoginRequestStatus{
 			Credential: &placeholderapi.LoginRequestCredential{
-				ExpirationTimestamp:   nil,
+				ExpirationTimestamp:   &expires,
 				ClientCertificateData: string(certPEM),
 				ClientKeyData:         string(keyPEM),
 			},
diff --git a/internal/registry/loginrequest/rest_test.go b/internal/registry/loginrequest/rest_test.go
index 15022471..986872fc 100644
--- a/internal/registry/loginrequest/rest_test.go
+++ b/internal/registry/loginrequest/rest_test.go
@@ -153,6 +153,13 @@ func TestCreateSucceedsWhenGivenATokenAndTheWebhookAuthenticatesTheToken(t *test
 	response, err := callCreate(context.Background(), storage, validLoginRequestWithToken(requestToken))
 
 	require.NoError(t, err)
+	require.IsType(t, &placeholderapi.LoginRequest{}, response)
+
+	expires := response.(*placeholderapi.LoginRequest).Status.Credential.ExpirationTimestamp
+	require.NotNil(t, expires)
+	require.InDelta(t, time.Now().Add(1*time.Hour).Unix(), expires.Unix(), 5)
+	response.(*placeholderapi.LoginRequest).Status.Credential.ExpirationTimestamp = nil
+
 	require.Equal(t, response, &placeholderapi.LoginRequest{
 		Status: placeholderapi.LoginRequestStatus{
 			User: &placeholderapi.User{