diff --git a/cmd/main.go b/cmd/main.go
index ec30df6..f3ca33a 100644
--- a/cmd/main.go
+++ b/cmd/main.go
@@ -12,6 +12,7 @@ import (
 	"net"
 	"net/http"
 	"os"
+	"time"
 
 	est "github.com/foundriesio/estserver"
 	"github.com/labstack/echo/v4"
@@ -33,6 +34,7 @@ func main() {
 		{name: "root-cert", help: "EST CA PEM encoded root certificate"},
 	}
 	port := flag.Int("port", 8443, "Port to listen on")
+	certDuration := flag.Duration("cert-duration", time.Hour*24*365*3, "How long new certs should be valid for. e.g. such as '1.5h' or '2h45m'. 3 years is default")
 	clientCas := flag.String("client-cas", "", "PEM encoded list of device CA's to allow. The device must present a certificate signed by a CA in this list or the `ca-cert` to authenticate")
 
 	for _, opt := range required {
@@ -83,7 +85,7 @@ func main() {
 		log.Fatal().Err(err).Msg("Unable to create tls cert handler")
 	}
 
-	svcHandler := est.NewStaticServiceHandler(est.NewService(rootCert, caCert, caKey))
+	svcHandler := est.NewStaticServiceHandler(est.NewService(rootCert, caCert, caKey, *certDuration))
 
 	e := echo.New()
 	s := http.Server{
diff --git a/service.go b/service.go
index b759786..6f63cbd 100644
--- a/service.go
+++ b/service.go
@@ -96,14 +96,18 @@ type Service struct {
 	// ca and key are the EST7030 keypair used for signing EST7030 requests
 	ca  *x509.Certificate
 	key crypto.Signer
+
+	certDuration time.Duration
 }
 
 // NewService creates an EST7030 API for a Factory
-func NewService(rootCa *x509.Certificate, ca *x509.Certificate, key crypto.Signer) Service {
+func NewService(rootCa *x509.Certificate, ca *x509.Certificate, key crypto.Signer, certDuration time.Duration) Service {
 	return Service{
 		rootCa: rootCa,
 		ca:     ca,
 		key:    key,
+
+		certDuration: certDuration,
 	}
 }
 
@@ -207,7 +211,7 @@ func (s Service) signCsr(ctx context.Context, csr *x509.CertificateRequest) ([]b
 	}
 
 	now := time.Now()
-	notAfter := now.Add(time.Hour * 24 * 365)
+	notAfter := now.Add(s.certDuration)
 	if notAfter.After(s.ca.NotAfter) {
 		log.Warn().Msg("Adjusting default cert expiry")
 		notAfter = s.ca.NotAfter
diff --git a/service_test.go b/service_test.go
index ebb60a6..3e0a526 100644
--- a/service_test.go
+++ b/service_test.go
@@ -71,7 +71,7 @@ func createService(t *testing.T) Service {
 	cert, err := x509.ParseCertificate(der)
 	require.Nil(t, err)
 
-	return Service{cert, cert, key}
+	return Service{cert, cert, key, time.Hour * 24}
 }
 
 func TestService_CA(t *testing.T) {