diff --git a/services/ca/default.nix b/services/ca/default.nix
index 7c61981..b8a8077 100644
--- a/services/ca/default.nix
+++ b/services/ca/default.nix
@@ -42,6 +42,8 @@
           {
             claims = {
               enableSSHCA = true;
+              maxTLSCertDuration = "3600h";
+              defaultTLSCertDuration = "48h";
             };
             encryptedKey = "eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJjdHkiOiJqd2sranNvbiIsImVuYyI6IkEyNTZHQ00iLCJwMmMiOjYwMDAwMCwicDJzIjoiY1lWOFJPb3lteXFLMWpzcS1WM1ZXQSJ9.WS8tPK-Q4gtnSsw7MhpTzYT_oi-SQx-CsRLh7KwdZnpACtd4YbcOYg.zeyDkmKRx8BIp-eB.OQ8c-KDW07gqJFtEMqHacRBkttrbJRRz0sYR47vQWDCoWhodaXsxM_Bj2pGvUrR26ij1t7irDeypnJoh6WXvUg3n_JaIUL4HgTwKSBrXZKTscXmY7YVmRMionhAb6oS9Jgus9K4QcFDHacC9_WgtGI7dnu3m0G7c-9Ur9dcDfROfyrnAByJp1rSZMzvriQr4t9bNYjDa8E8yu9zq6aAQqF0Xg_AxwiqYqesT-sdcfrxKS61appApRgPlAhW-uuzyY0wlWtsiyLaGlWM7WMfKdHsq-VqcVrI7Gi2i77vi7OqPEberqSt8D04tIri9S_sArKqWEDnBJsL07CC41IY.CqtYfbSa_wlmIsKgNj5u7g";
             key = {
@@ -59,6 +61,10 @@
           {
             name = "acme";
             type = "ACME";
+            claims = {
+              maxTLSCertDuration = "3600h";
+              defaultTLSCertDuration = "1800h";
+            };
           }
           {
             claims = {