diff --git a/README.md b/README.md
index 1a6302d..d9410b4 100644
--- a/README.md
+++ b/README.md
@@ -89,6 +89,7 @@ The following environment variables are supported:
| __OPENVOXSERVER_PORT__ | The port of the openvoxserver
`8140` |
| __AUTOSIGN__ | Whether or not to enable autosigning on the openvoxserver instance. Valid values are `true`, `false`, and `/path/to/autosign.conf`.
Defaults to `true`. |
| __CA_ENABLED__ | Whether or not this openvoxserver instance has a running CA (Certificate Authority)
`true` |
+| __CA_TTL__ | CA expire date (in seconds or with suffix `s`, `m`, `h`, `d`, `y`)
`157680000` |
| __CA_HOSTNAME__ | The DNS hostname for the openvoxserver running the CA. Does nothing unless `CA_ENABLED=false`
`puppet` |
| __CA_PORT__ | The listening port of the CA. Does nothing unless `CA_ENABLED=false`
`8140` |
| __CA_ALLOW_SUBJECT_ALT_NAMES__ | Whether or not SSL certificates containing Subject Alternative Names should be signed by the CA. Does nothing unless `CA_ENABLED=true`.
`false` |
diff --git a/openvoxserver/Containerfile b/openvoxserver/Containerfile
index 6deece5..6153ef3 100644
--- a/openvoxserver/Containerfile
+++ b/openvoxserver/Containerfile
@@ -48,6 +48,7 @@ ENV OPENVOXSERVER_JAVA_ARGS="-Xms1024m -Xmx1024m" \
OPENVOXSERVER_MAX_ACTIVE_INSTANCES=1 \
OPENVOXSERVER_MAX_REQUESTS_PER_INSTANCE=0 \
CA_ENABLED=true \
+ CA_TTL=157680000 \
CA_HOSTNAME=puppet \
CA_PORT=8140 \
CA_ALLOW_SUBJECT_ALT_NAMES=false \
diff --git a/openvoxserver/docker-entrypoint.d/90-ca.sh b/openvoxserver/docker-entrypoint.d/90-ca.sh
index 90acf8d..5c8b480 100755
--- a/openvoxserver/docker-entrypoint.d/90-ca.sh
+++ b/openvoxserver/docker-entrypoint.d/90-ca.sh
@@ -42,6 +42,7 @@ EOF
fi
else
# we are the CA
+ puppet config set --section server ca_ttl "${CA_TTL}"
hocon -f /etc/puppetlabs/puppetserver/conf.d/ca.conf \
set certificate-authority.allow-subject-alt-names "${CA_ALLOW_SUBJECT_ALT_NAMES}"