How long do Vault-generated short-lived certificates typically last?

Vault-generated short-lived certificates are specifically designed to enhance security by reducing the risk associated with long-term certificate validity. These certificates typically have a lifespan ranging from 72 hours to 24 hours, ensuring that they are valid only for a limited time. This limited duration helps to minimize the potential exploitation of a compromised certificate since the window during which the certificate can be used is significantly reduced.

Vault's architecture leverages the principles of ephemeral identities and dynamic secrets, which not only improve the security posture by limiting the lifespan of credentials but also facilitate easier revocation and renewal processes. The design focus is on providing certificates that can be automatically renewed or replaced as needed, thereby maintaining security without the administrative overhead of manual certificate management.

In this context, the other stated options do not align with the intended purpose and functionality of short-lived certificates. Certificates lasting from 1 month to 1 year would lead to increased risk, and saying that they last indefinitely contradicts the very principles of ephemeral security. Additionally, the suggestion that they are only valid for the duration of a session does not accurately reflect typical configurations or use cases. The defined short lifespan reinforces the need for dynamic credential management and the overall security architecture that Vault promotes.