diff --git a/hooks/blueprint b/hooks/blueprint
index 033743e..b35d93a 100755
--- a/hooks/blueprint
+++ b/hooks/blueprint
@@ -13,6 +13,7 @@ manifests=( \
   "upstream/templates/app-autoscaler-deployment.yml" \
   "overlay/base.yml" \
   "overlay/ten-year-ca-expiry.yml" \
+  "overlay/two-year-leaf-expiry.yml" \
   "overlay/db-persistent-disk.yml" \
   "overlay/upstream_version.yml" \
   "overlay/change_deployment_and_network.yml" \
diff --git a/overlay/two-year-leaf-expiry.yml b/overlay/two-year-leaf-expiry.yml
new file mode 100644
index 0000000..1b2214d
--- /dev/null
+++ b/overlay/two-year-leaf-expiry.yml
@@ -0,0 +1,19 @@
+# CAs should last 10 years instead of the default Credhub 1y
+variables:
+
+- { name: apiserver_client,               options: { duration: 730 } }
+- { name: apiserver_public_server,        options: { duration: 730 } }
+- { name: apiserver_server,               options: { duration: 730 } }
+- { name: eventgenerator_client,          options: { duration: 730 } }
+- { name: eventgenerator_server,          options: { duration: 730 } }
+- { name: metricsserver_client,           options: { duration: 730 } }
+- { name: metricsserver_server,           options: { duration: 730 } }
+- { name: postgres_server,                options: { duration: 730 } }
+- { name: scalingengine_client,           options: { duration: 730 } }
+- { name: scalingengine_server,           options: { duration: 730 } }
+- { name: scheduler_client,               options: { duration: 730 } }
+- { name: scheduler_server,               options: { duration: 730 } }
+- { name: servicebroker_client,           options: { duration: 730 } }
+- { name: servicebroker_public_server,    options: { duration: 730 } }
+- { name: servicebroker_server,           options: { duration: 730 } }
+