PKI with ACME Certs issued with certbot valid only 7 Days

Hi there,

I’ve set up Vault with PKI intermediate CA, activated ACME ad tuned issued certs to TTL=90d
This works fine.
When I use ACME with Certbot, the certificates get a validity for only 7 Days.

I figured out, this comes from the “default lease TTL” showed on the Dashboard in the Configuration details area.

I set it to ttl= 30 days and the new issued certificates also got this validity period and still ignoring the default_ttl from the PKI role.

How to solve it? I don’t want to set the default ttl for the “whole system” tokens to 90 days to get certificates valid for 90 days.


If you are using a role within your acme configuration’s “Default directory policy”, ACME should be using that role’s TTL and/or MaxTTL value.

Things that might also influence it down to 7 days could be the mount’s values for default lease ttl and/or max lease ttl. Finally have a look at the the CA’s expiration date as ACME issuance will not issue a certificate beyond it and will automatically truncate.