Open davidham opened 6 years ago
Heh, it's a fair question. The answer isn't too deep: it's because the underlying Terraform resource uses hours :)
Whether your cert should be short or long lived depends on the use-case. For Vault, it should probably be relatively long-lived (months or years).
In creating the private TLS certificate, one of the params to the module is
validity_period_hours
. It appears that the intention is to set this in a shorter period like 24 hours, rather than a longer one (which would be my inclination), like 10 years. Why is this? If I'm creating my own CA for signing these certs, and they expire in a short time, won't I have to have some way of recreating new TLS certs all the time?I like the approach of creating your own CA for internal applications like this, I think I'm just missing a piece on the expirations. Thanks!