When creating the private-tls-cert, why set validity in hours?

[davidham]

In creating the private TLS certificate, one of the params to the module is validity_period_hours. It appears that the intention is to set this in a shorter period like 24 hours, rather than a longer one (which would be my inclination), like 10 years. Why is this? If I'm creating my own CA for signing these certs, and they expire in a short time, won't I have to have some way of recreating new TLS certs all the time?

I like the approach of creating your own CA for internal applications like this, I think I'm just missing a piece on the expirations. Thanks!

[brikis98]

Heh, it's a fair question. The answer isn't too deep: it's because the underlying Terraform resource uses hours :)

Whether your cert should be short or long lived depends on the use-case. For Vault, it should probably be relatively long-lived (months or years).