Reduce role cert ttl, log expiry

1 files changed, 2 insertions, 1 deletions

diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzIdentityProviderImpl.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzIdentityProviderImpl.java
index ef38ca8c6ad..7b13332052f 100644
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzIdentityProviderImpl.java
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzIdentityProviderImpl.java
@@ -67,7 +67,7 @@ public final class AthenzIdentityProviderImpl extends AbstractComponent implemen
     // TODO These should match the requested expiration
     static final Duration UPDATE_PERIOD = Duration.ofDays(1);
     static final Duration AWAIT_TERMINTATION_TIMEOUT = Duration.ofSeconds(90);
-    private final static Duration ROLE_SSL_CONTEXT_EXPIRY = Duration.ofHours(24);
+    private final static Duration ROLE_SSL_CONTEXT_EXPIRY = Duration.ofHours(2);
     private final static Duration ROLE_TOKEN_EXPIRY = Duration.ofMinutes(30);
 
     // TODO Make path to trust store paths config
@@ -280,6 +280,7 @@ public final class AthenzIdentityProviderImpl extends AbstractComponent implemen
         try (ZtsClient client = createZtsClient()) {
             X509Certificate roleCertificate = client.getRoleCertificate(role, csr);
             updateRoleKeyManager(role, roleCertificate);
+            log.info(String.format("Requester role certificate for role %s, expires: %s", role.toResourceNameString(), roleCertificate.getNotAfter().toInstant().toString()));
             return roleCertificate;
         }
     }