diff --git a/cert/cert.go b/cert/cert.go
index 6be93978..daa9c7da 100644
--- a/cert/cert.go
+++ b/cert/cert.go
@@ -419,12 +419,17 @@ func (spec *Spec) Lifespan() time.Duration {
 	}
 	if isTooOld(spec.Key.Path) || isTooOld(spec.Cert.Path) {
 		// This is necessary to essentially force cfssl to regenerate since it's not spec aware.
-		spec.tr.Provider.Certificate().NotAfter = specStat.ModTime()
+		spec.ResetLifespan()
 		return 0
 	}
 	return spec.tr.Lifespan()
 }
 
+// Reset the lifespan to force cfssl to regenerate
+func (spec *Spec) ResetLifespan() {
+	spec.tr.Provider.Certificate().NotAfter = time.Time{}
+}
+
 // Certificate returns the x509.Certificate associated with the spec
 // if one exists.
 func (spec *Spec) Certificate() *x509.Certificate {
diff --git a/cli/ensure.go b/cli/ensure.go
index 3e715b02..caa1e068 100644
--- a/cli/ensure.go
+++ b/cli/ensure.go
@@ -9,6 +9,7 @@ import (
 
 var ensureTolerance = 3
 var enableActions = false
+var forceRegen = false
 
 var ensureCmd = &cobra.Command{
 	Use:   "ensure",
@@ -31,7 +32,7 @@ func Ensure(cmd *cobra.Command, args []string) {
 		os.Exit(1)
 	}
 
-	err = mgr.MustCheckCerts(ensureTolerance, enableActions)
+	err = mgr.MustCheckCerts(ensureTolerance, enableActions, forceRegen)
 	if err != nil {
 		fmt.Fprintf(os.Stderr, "Failed: %s\n", err)
 		os.Exit(1)
@@ -44,4 +45,5 @@ func init() {
 	RootCmd.AddCommand(ensureCmd)
 	ensureCmd.Flags().IntVarP(&ensureTolerance, "tries", "n", ensureTolerance, "number of times to retry refreshing a certificate")
 	ensureCmd.Flags().BoolVarP(&enableActions, "enableActions", "", enableActions, "if passed, run the certificates svcmgr actions; defaults to not running them")
+	ensureCmd.Flags().BoolVarP(&forceRegen, "forceRegen", "", forceRegen, "if passed, ignore TTL checks and force regeneration of all specs")
 }
diff --git a/cli/version.go b/cli/version.go
index c1fd05aa..ef5e9209 100644
--- a/cli/version.go
+++ b/cli/version.go
@@ -8,7 +8,7 @@ import (
 	"github.com/spf13/viper"
 )
 
-var currentVersion = "1.6.2"
+var currentVersion = "1.6.3"
 
 var versionCmd = &cobra.Command{
 	Use:   "version",
diff --git a/mgr/manager.go b/mgr/manager.go
index e14f9525..a1bccfbd 100644
--- a/mgr/manager.go
+++ b/mgr/manager.go
@@ -325,7 +325,7 @@ func (m *Manager) CheckCertsSync() int {
 // MustCheckCerts acts like CheckCerts, except it's synchronous and
 // has a maxmimum number of failures that are tolerated. If tolerate
 // is less than 1, it will be set to 1.
-func (m *Manager) MustCheckCerts(tolerance int, enableActions bool) error {
+func (m *Manager) MustCheckCerts(tolerance int, enableActions bool, forceRegen bool) error {
 	if tolerance < 1 {
 		tolerance = 1
 	}
@@ -344,6 +344,12 @@ func (m *Manager) MustCheckCerts(tolerance int, enableActions bool) error {
 			log.Errorf("manager: the CA for %s has changed, but the service couldn't be notified of the change", m.Certs[i])
 		}
 
+		if forceRegen {
+			log.Debugf("manager: forcing regeneration of spec %s", m.Certs[i])
+			m.Certs[i].ResetLifespan()
+			queue <- &queuedCert{cert: m.Certs[i]}
+			continue
+		}
 		if !m.Certs[i].Ready() && !m.Certs[i].IsQueued() {
 			queue <- &queuedCert{cert: m.Certs[i]}
 			continue
diff --git a/svcmgr/command.go b/svcmgr/command.go
index 3dc8efef..8b03a2db 100644
--- a/svcmgr/command.go
+++ b/svcmgr/command.go
@@ -32,6 +32,7 @@ func newCommandManager(action string, service string) (Manager, error) {
 		log.Warningf("svcmgr 'command': service '%s' for action '%s' doesn't do anything, ignoring", service, action)
 	}
 	if canCheckSyntax {
+		log.Debugf("svcmgr 'command': validating the action definition %s", action)
 		err := run(shellBinary, "-n", "-c", action)
 		if err != nil {
 			return nil, fmt.Errorf("svcmgr 'command': action '%s' failed bash -n -c parse checks: %s", action, err)