While testing pki on vault, I noticed that despite leaving the max-lease-ttl setting on the pki backend to its default (768h), I was able to generate long-living certs (whatever max ttl the pki role permits). My expectation was that if max_ttl in pki role is > max-lease-ttl of the secret backend. The expirty time of the certs would default to the max-lease-ttl from the backend OR vault would raise warning/error of some kind here.
To reproduce, follow the guide at https://www.vaultproject.io/docs/secrets/pki just skip the part where it asks you to tune the max-lease-ttl for the backend.
Is this an expected behavior or am I possibly missing some config parameters on my pki mount to enforce the TTL for max-lease-ttl?