diff --git a/src/etc/inc/plugins.inc.d/webgui.inc b/src/etc/inc/plugins.inc.d/webgui.inc
index 8acbbd7c2..2d5dc260f 100644
--- a/src/etc/inc/plugins.inc.d/webgui.inc
+++ b/src/etc/inc/plugins.inc.d/webgui.inc
@@ -100,7 +100,7 @@ function webgui_configure_do($verbose = false, $interface = '')
                 /* XXX ought to be replaced by PHP calls */
                 '/usr/local/bin/openssl req -new -extensions server_cert ' .
                 '-config /usr/local/etc/ssl/opnsense.cnf ' .
-                '-newkey rsa:4096 -sha256 -days 365 -nodes -x509 ' .
+                '-newkey rsa:4096 -sha256 -nodes -x509 ' .
                 '-subj "/C=NL/ST=Zuid-Holland/L=Middelharnis/O=OPNsense" ' .
                 '-keyout /tmp/ssl.key -out /tmp/ssl.crt'
             );
diff --git a/src/etc/ssl/opnsense.cnf b/src/etc/ssl/opnsense.cnf
index 8a15076aa..1857ba322 100644
--- a/src/etc/ssl/opnsense.cnf
+++ b/src/etc/ssl/opnsense.cnf
@@ -71,7 +71,7 @@ cert_opt	= ca_default		# Certificate field options
 # crlnumber must also be commented out to leave a V1 CRL.
 crl_extensions	= crl_ext
 
-default_days	= 365			# how long to certify for
+default_days	= 825			# how long to certify for
 default_crl_days= 30			# how long before next CRL
 default_md	= default		# use public key default MD
 preserve	= no			# keep passed DN ordering
diff --git a/src/wizard/openvpn.xml b/src/wizard/openvpn.xml
index b7e319ab0..384099353 100644
--- a/src/wizard/openvpn.xml
+++ b/src/wizard/openvpn.xml
@@ -384,8 +384,8 @@
                 <displayname>Lifetime</displayname>
                 <type>input</type>
                 <size>10</size>
-                <value>365</value>
-                <description>Lifetime in days. This is commonly set to 365 (Approximately 1 year.)</description>
+                <value><F9>825</value>
+                <description>Lifetime in days. This is commonly set to 825 (approximately 2 years).</description>
                 <bindstofield>wizardtemp->step6->lifetime</bindstofield>
             </field>
             <field>
@@ -511,10 +511,10 @@
             <field>
                 <name>lifetime</name>
                 <displayname>Lifetime</displayname>
-                <description>Lifetime in days. This is commonly set to 365 (Approximately 1 year.)</description>
+                <description>Lifetime in days. This is commonly set to 825 (approximately 2 years).</description>
                 <type>input</type>
                 <size>10</size>
-                <value>365</value>
+                <value>825</value>
                 <bindstofield>wizardtemp->step9->lifetime</bindstofield>
             </field>
             <field>
diff --git a/src/www/system_camanager.php b/src/www/system_camanager.php
index 364dcadc2..8fc90a3bb 100644
--- a/src/www/system_camanager.php
+++ b/src/www/system_camanager.php
@@ -185,7 +185,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
         $pconfig['keytype'] = "RSA";
         $pconfig['keylen'] = "2048";
         $pconfig['digest_alg'] = "sha256";
-        $pconfig['lifetime'] = "365";
+        $pconfig['lifetime'] = "825";
         $pconfig['dn_commonname'] = "internal-ca";
     } elseif ($act == "exp") {
         if (!isset($id)) {
diff --git a/src/www/system_certmanager.php b/src/www/system_certmanager.php
index aaec3373c..67946f58c 100644
--- a/src/www/system_certmanager.php
+++ b/src/www/system_certmanager.php
@@ -280,8 +280,8 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
         $pconfig['csr_keytype'] = "RSA";
         $pconfig['csr_keylen'] = "2048";
         $pconfig['csr_digest_alg'] = "sha256";
-        $pconfig['lifetime'] = "365";
-        $pconfig['lifetime_sign_csr'] = "365";
+        $pconfig['lifetime'] = "825";
+        $pconfig['lifetime_sign_csr'] = "825";
         $pconfig['cert_type'] = "usr_cert";
         $pconfig['cert'] = null;
         $pconfig['key'] = null;