Hey everyone! I'm currently using a Private CA in the AWS Certificate Manager to generate certificates for my Site-to-Site VPNs. The default expiration for these certificates is set at 13 months, and I'm wondering if there's a way to extend this expiration period. I know AWS has auto-renewal features, but that still requires me to manually update the certificates on my endpoint devices, and it's becoming quite cumbersome. Any advice or solutions would be much appreciated!
3 Answers
Unfortunately, you're stuck with that 13-month limit. AWS doesn't allow end-user certificates to have longer validity due to security risks. They want to protect their root cert as much as possible.
It seems like the issue might be in how you're setting things up. Have you thought about switching to a different VPN client? There are tons available, some of which might save you from the hassle of managing these renewals manually.
Nope, you can't extend it beyond 13 months. Check this AWS documentation [here](https://docs.aws.amazon.com/privateca/latest/userguide/ca-lifecycle.html). They have set that as a hard limit for end-entity certificates issued through ACM.
Thanks for the link! I actually found a note that states you can use the `IssueCertificate` API to specify any validity period as long as it’s shorter than that of the issuing CA. Just not sure how to implement it.
Haha, I get what you're saying! But due to our compliance policies, we have to keep everything within AWS, so switching clients isn't really an option for us.