diff --git a/automation/roles/tls_certificate/tasks/main.yml b/automation/roles/tls_certificate/tasks/main.yml
index 135af83d2..a032e6cbd 100644
--- a/automation/roles/tls_certificate/tasks/main.yml
+++ b/automation/roles/tls_certificate/tasks/main.yml
@@ -27,4 +27,4 @@
     group: "{{ tls_owner | default('postgres') }}"
     mode: "{{ tls_cert_mode | default('0644') }}"
     provider: "{{ tls_cert_provider | default('selfsigned') }}"
-    entrust_not_after: "{{ tls_cert_entrust_not_after | default('+3650d') }}"
+    entrust_not_after: "+{{ tls_cert_valid_days | default(3650) }}d"
diff --git a/automation/vars/main.yml b/automation/vars/main.yml
index cddb53db6..4eb600936 100644
--- a/automation/vars/main.yml
+++ b/automation/vars/main.yml
@@ -176,6 +176,7 @@ consul_services:
 
 # TLS certificate (for PostgreSQL & PGBouncer)
 tls_cert_generate: true
+tls_cert_valid_days: 3650
 tls_cert_path: "{{ postgresql_home_dir }}/tls/server.crt"
 tls_privatekey_path: "{{ postgresql_home_dir }}/tls/server.key"
 tls_owner: "postgres"