From bb09d049978d4b0eb9a9441b65397bdb421e6610 Mon Sep 17 00:00:00 2001
From: Kyle Isom <kyle@imap.cc>
Date: Sun, 15 Mar 2026 00:52:01 -0700
Subject: [PATCH] Change default intermediate issuer expiry from 5y to 3y

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 internal/engine/ca/ca.go    | 2 +-
 internal/engine/ca/types.go | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/internal/engine/ca/ca.go b/internal/engine/ca/ca.go
index e1fe0a3..1bc627c 100644
--- a/internal/engine/ca/ca.go
+++ b/internal/engine/ca/ca.go
@@ -498,7 +498,7 @@ func (e *CAEngine) handleCreateIssuer(ctx context.Context, req *engine.Request)
 		keySize = int(v)
 	}
 
-	expiry := "43800h" // 5 years default
+	expiry := "26280h" // 3 years default
 	if v, ok := req.Data["expiry"].(string); ok && v != "" {
 		expiry = v
 	}
diff --git a/internal/engine/ca/types.go b/internal/engine/ca/types.go
index b7f546b..1b52ea0 100644
--- a/internal/engine/ca/types.go
+++ b/internal/engine/ca/types.go
@@ -16,7 +16,7 @@ type IssuerConfig struct {
 	Name         string    `json:"name"`
 	KeyAlgorithm string    `json:"key_algorithm"`
 	KeySize      int       `json:"key_size"`
-	Expiry       string    `json:"expiry"`  // issuer cert expiry, e.g. "43800h" (5 years)
+	Expiry       string    `json:"expiry"`  // issuer cert expiry, e.g. "26280h" (3 years)
 	MaxTTL       string    `json:"max_ttl"` // max leaf cert TTL, e.g. "8760h" (1 year)
 	CreatedBy    string    `json:"created_by"`
 	CreatedAt    time.Time `json:"created_at"`