diff --git a/certificates.go b/certificates.go
index 697c539..5c1662c 100644
--- a/certificates.go
+++ b/certificates.go
@@ -8,7 +8,9 @@ import (
 	"crypto/x509/pkix"
 	"encoding/pem"
 	"errors"
+	"fmt"
 	"math/big"
+	"strconv"
 	"time"
 )
 
@@ -60,7 +62,6 @@ func genPrivKey() (privKeyPEM *bytes.Buffer, err error) {
 		Bytes: privKeyPKCS8,
 	})
 
-
 	return
 }
 
@@ -133,6 +134,17 @@ func genClientCert(privKey, caPrivKey *rsa.PrivateKey, ca *x509.Certificate, cn
 	serialNumberRange := new(big.Int).Lsh(big.NewInt(1), 128)
 	serial, err := rand.Int(rand.Reader, serialNumberRange)
 
+	certLifetimeDays, err := strconv.Atoi(*clientCertExpirationDays)
+	if err != nil {
+		return nil, fmt.Errorf("can't get client certificate expiration value: %w", err)
+	}
+
+	notBefore := time.Now()
+	notAfter := notBefore.Add(time.Duration(certLifetimeDays) * 24 * time.Hour)
+	if notAfter.After(ca.NotAfter) {
+		notAfter = ca.NotAfter
+	}
+
 	template := x509.Certificate{
 		BasicConstraintsValid: true,
 		DNSNames:              []string{cn},
@@ -142,8 +154,8 @@ func genClientCert(privKey, caPrivKey *rsa.PrivateKey, ca *x509.Certificate, cn
 		},
 		KeyUsage:    x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment,
 		ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},
-		NotBefore:   time.Now(),
-		NotAfter:    ca.NotAfter,
+		NotBefore:   notBefore,
+		NotAfter:    notAfter,
 	}
 
 	issuerBytes, err := x509.CreateCertificate(rand.Reader, &template, ca, &privKey.PublicKey, caPrivKey)
diff --git a/main.go b/main.go
index 1eb3cb7..d9a8a64 100644
--- a/main.go
+++ b/main.go
@@ -76,6 +76,7 @@ var (
 	logLevel                 = kingpin.Flag("log.level", "set log level: trace, debug, info, warn, error (default info)").Default("info").Envar("LOG_LEVEL").String()
 	logFormat                = kingpin.Flag("log.format", "set log format: text, json (default text)").Default("text").Envar("LOG_FORMAT").String()
 	storageBackend           = kingpin.Flag("storage.backend", "storage backend: filesystem, kubernetes.secrets (default filesystem)").Default("filesystem").Envar("STORAGE_BACKEND").String()
+	clientCertExpirationDays = kingpin.Flag("client-cert.expiration-days", "Expiration period of OpenVPN client certificates in days, the period will shrink automatically to the CA expiration period").Default("3650").Envar("CLIENT_CERT_EXPIRATION_DAYS").String()
 
 	certsArchivePath = "/tmp/" + certsArchiveFileName
 	ccdArchivePath   = "/tmp/" + ccdArchiveFileName