Token used to access the Vault UI does not renew

I am using a certificate to generate a token to access the Vault UI. It works as expected but it doesn’t seem to renew. The UI signs out after the initial TTL expires. The cert auth has a max ttl of 3600 and the certificate has a ttl of 900 and a max ttl of 3600.

I am using the following to generate the token::

RESPONSE=$(curl -s \
    --request POST \
    --cert .ssh/${ENV}-cert.pem \
    --key .ssh/${ENV}-rsa.pem \
    --data "{\"name\": \"${NAME}-vault-ui\"}" \$DNS/v1/auth/cert/login)


The client_token has the correct TTL and “renewable”:true. What am I missing?

I am on Vault 1.6.1