diff --git a/charts/pulsar/templates/tls-cert-internal-issuer.yaml b/charts/pulsar/templates/tls-cert-internal-issuer.yaml
index 6a7d25d..60ac91a 100644
--- a/charts/pulsar/templates/tls-cert-internal-issuer.yaml
+++ b/charts/pulsar/templates/tls-cert-internal-issuer.yaml
@@ -36,6 +36,8 @@ metadata:
 spec:
   secretName: "{{ .Release.Name }}-ca-tls"
   commonName: "{{ template "pulsar.namespace" . }}.svc.{{ .Values.clusterDomain }}"
+  duration: "{{ .Values.certs.internal_issuer.duration }}"
+  renewBefore: "{{ .Values.certs.internal_issuer.renewBefore }}"
   usages:
     - server auth
     - client auth
diff --git a/charts/pulsar/values.yaml b/charts/pulsar/values.yaml
index dcaf283..1fdca0e 100644
--- a/charts/pulsar/values.yaml
+++ b/charts/pulsar/values.yaml
@@ -260,6 +260,10 @@ certs:
     enabled: false
     component: internal-cert-issuer
     type: selfsigning
+    # 90d
+    duration: 2160h
+    # 15d
+    renewBefore: 360h
   issuers:
     selfsigning: