stackhpc · jackhodgkiss · Jul 23, 2025 · Jul 18, 2025
@@ -19,8 +19,8 @@ seed_openbao_pki_role_name: "ServerCert"
 seed_openbao_pki_roles:
   - name: "{{ seed_openbao_pki_role_name }}"
     config:
-      max_ttl: 8760h
-      ttl: 8760h
+      max_ttl: 730d
+      ttl: 730d
       allow_any_name: true
       allow_ip_sans: true
       require_cn: false
@@ -59,8 +59,8 @@ overcloud_openbao_pki_external_tls_role_name: "{{ overcloud_openbao_pki_default_
 overcloud_openbao_pki_roles:
   - name: "{{ overcloud_openbao_pki_default_role_name }}"
     config:
-      max_ttl: 8760h
-      ttl: 8760h
+      max_ttl: 730d
+      ttl: 730d
       allow_any_name: true
       allow_ip_sans: true
       require_cn: false

@@ -25,8 +25,8 @@ seed_vault_pki_role_name: "ServerCert"
 seed_vault_pki_roles:
   - name: "{{ seed_vault_pki_role_name }}"
     config:
-      max_ttl: 8760h
-      ttl: 8760h
+      max_ttl: 730d
+      ttl: 730d
       allow_any_name: true
       allow_ip_sans: true
       require_cn: false
@@ -71,8 +71,8 @@ overcloud_vault_pki_external_tls_role_name: "{{ overcloud_vault_pki_default_role
 overcloud_vault_pki_roles:
   - name: "{{ overcloud_vault_pki_default_role_name }}"
     config:
-      max_ttl: 8760h
-      ttl: 8760h
+      max_ttl: 730d
+      ttl: 730d
       allow_any_name: true
       allow_ip_sans: true
       require_cn: false

@@ -0,0 +1,6 @@
+---
+features:
+  - |
+    Increase the ``ttl`` of the ``PKI`` role to two years providing
+    the opportunity to replace ``internal`` and ``backend`` certificates
+    during the annual upgrade.