diff --git a/modules/services/step-ca/mtls.nix b/modules/services/step-ca/mtls.nix
index 7b18b5b..20b2f54 100644
--- a/modules/services/step-ca/mtls.nix
+++ b/modules/services/step-ca/mtls.nix
@@ -35,6 +35,10 @@ let
       type = lib.types.str;
       default = "admin";
     };
+    lifetime = lib.mkOption {
+      type = lib.types.str;
+      default = "6h";
+    };
     renew = {
       enable = lib.mkOption {
         description = "Enable automatic mTLS certificate renewal using a systemd timer.";
@@ -224,6 +228,7 @@ in
               --ca-url ${cfg.caURL} \
               --root ${rootCA} \
               --provisioner ${cfg.provisioner} \
+              --not-before=-5m --not-after=${cfg.lifetime} \
               ${sanArgs} \
               "$@"
             cat ${tlsCert} ${tlsKey} > ${mtlsBundle}
@@ -272,9 +277,11 @@ in
           (writeShellScriptBin "mtls-generate" ''
             set -euo pipefail
             ${lib.getExe pkgs.step-cli} ca certificate \
-              john-pc-ubuntu ${tlsCert} ${tlsKey} \
+              ${cfg.subject} ${tlsCert} ${tlsKey} \
+              --not-before=-5m --not-after=${cfg.lifetime} \
               --provisioner ${cfg.provisioner} \
-              ${sanArgs}
+              ${sanArgs} \
+              "$@"
             cat ${tlsCert} ${tlsKey} > ${mtlsBundle}
           '')
           (writeShellScriptBin "mtls-check" ''