Bug: `tctl auth sign` Validity Period is off by 1 minute

[one000mph]

The identify cert generated tctl auth sign is off by 1 minute

For an existing user

$ tctl auth sign --user teleport -o teleport_id
# file written
$ openssl x509 -text -noout -in teleport_id
Certificate:
    Data:
        Version: 3 (0x2)
...
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: O=grav-00, CN=grav-00
        Validity
-            Not Before: Oct 11 21:51:30 2019 GMT #Current
-            Not After : Oct 12 09:52:30 2019 GMT #Current
+            Not Before: Oct 11 21:51:30 2019 GMT #Expected
+            Not After : Oct 12 09:51:30 2019 GMT #Expected

The behavior is the same when the --ttl flag is set. --ttl 5m becomes a 6 minute duration

[benarent]

This looks like a bug, I'll copy it over the OSS repo