If you’re using the
authority-admin provisioner, the default certificate lifetime is 24 hours. The 24-hour default validity window for certificates is arbitrary. Depending on your threat model and use context, you may want much shorter or much longer certificate lifetimes.
You can dynamically adjust the certificate
not-after parameters when requesting a certificate.
For example, this certificate will be valid for six minutes:
step ca certificate localhost localhost.crt localhost.key \\ --not-after=6m
In this example, this certificate will be valid starting 5 minutes from now, until 10 days from now:
step ca certificate localhost localhost.crt localhost.key \\ --not-before=5m --not-after=240h
PLEASE NOTE: Provisioners can be defined or modified with certificate minimum and maximum lifetimes and default certificate expiry. A single Authority can support many provisioners to unlock various automated workflows. Click to learn more about provisioners and claims.