diff --git a/README.md b/README.md
index 16aee59b..c406b903 100644
--- a/README.md
+++ b/README.md
@@ -97,6 +97,7 @@ The following environment variables are supported:
| __PUPPETSERVER_PORT__ | The port of the puppetserver
`8140` |
| __AUTOSIGN__ | Whether or not to enable autosigning on the puppetserver instance. Valid values are `true`, `false`, and `/path/to/autosign.conf`.
Defaults to `true`. |
| __CA_ENABLED__ | Whether or not this puppetserver instance has a running CA (Certificate Authority)
`true` |
+| __CA_TTL__ | CA expire date (in seconds)
`157680000` |
| __CA_HOSTNAME__ | The DNS hostname for the puppetserver running the CA. Does nothing unless `CA_ENABLED=false`
`puppet` |
| __CA_PORT__ | The listening port of the CA. Does nothing unless `CA_ENABLED=false`
`8140` |
| __CA_ALLOW_SUBJECT_ALT_NAMES__ | Whether or not SSL certificates containing Subject Alternative Names should be signed by the CA. Does nothing unless `CA_ENABLED=true`.
`false` |
diff --git a/puppetserver/Dockerfile b/puppetserver/Dockerfile
index e7e724e2..7ea78654 100644
--- a/puppetserver/Dockerfile
+++ b/puppetserver/Dockerfile
@@ -49,6 +49,7 @@ ENV PUPPETSERVER_JAVA_ARGS="-Xms1024m -Xmx1024m" \
CA_HOSTNAME=puppet \
CA_PORT=8140 \
CA_ALLOW_SUBJECT_ALT_NAMES=false \
+ CA_TTL=157680000 \
INTERMEDIATE_CA=false \
INTERMEDIATE_CA_BUNDLE=/etc/puppetlabs/intermediate/ca.pem \
INTERMEDIATE_CRL_CHAIN=/etc/puppetlabs/intermediate/crl.pem \
diff --git a/puppetserver/docker-entrypoint.d/90-ca.sh b/puppetserver/docker-entrypoint.d/90-ca.sh
index 90acf8dc..338d2eb9 100755
--- a/puppetserver/docker-entrypoint.d/90-ca.sh
+++ b/puppetserver/docker-entrypoint.d/90-ca.sh
@@ -32,6 +32,9 @@ EOF
hocon -f webserver.conf set webserver.ssl-crl-path $ssl_crl_path
cd /
+ if [[ -z $CA_TTL ]]; then
+ puppet config set --section server ca_ttl "${CA_TTL}"
+
# bootstrap certs for the puppetserver
if [[ ! -f "$ssl_cert" ]]; then
while ! ca_running; do