diff --git a/server/lib/src/constants/mod.rs b/server/lib/src/constants/mod.rs
index 2af5b675f..4159230ef 100644
--- a/server/lib/src/constants/mod.rs
+++ b/server/lib/src/constants/mod.rs
@@ -150,6 +150,10 @@ pub const OAUTH2_ACCESS_TOKEN_EXPIRY: u32 = 15 * 60;
 /// we warn about possible clock synchronisation issues.
 pub const REPL_SUPPLIER_ADVANCE_WINDOW: Duration = Duration::from_secs(600);
 
+/// The number of days that the default replication MTLS cert lasts for when
+/// configured manually. Defaults to 4 years (including 1 day for the leap year).
+pub const REPL_MTLS_CERTIFICATE_DAYS: u32 = 1461;
+
 /// The default number of entries that a user may retrieve in a search
 pub const DEFAULT_LIMIT_SEARCH_MAX_RESULTS: u64 = 1024;
 /// The default number of entries than an api token may retrieve in a search;
diff --git a/server/lib/src/repl/supplier.rs b/server/lib/src/repl/supplier.rs
index 3c0ad478e..93fa3a675 100644
--- a/server/lib/src/repl/supplier.rs
+++ b/server/lib/src/repl/supplier.rs
@@ -15,16 +15,18 @@ impl<'a> QueryServerWriteTransaction<'a> {
         domain_name: &str,
     ) -> Result<(PKey<Private>, X509), OperationError> {
         // Invalid, must need to re-generate.
-        let expiration_days = 180;
         let s_uuid = self.get_server_uuid();
 
-        let (private, x509) =
-            build_self_signed_server_and_client_identity(s_uuid, domain_name, expiration_days)
-                .map_err(|err| {
-                    error!(?err, "Unable to generate self signed key/cert");
-                    // What error?
-                    OperationError::CryptographyError
-                })?;
+        let (private, x509) = build_self_signed_server_and_client_identity(
+            s_uuid,
+            domain_name,
+            REPL_MTLS_CERTIFICATE_DAYS,
+        )
+        .map_err(|err| {
+            error!(?err, "Unable to generate self signed key/cert");
+            // What error?
+            OperationError::CryptographyError
+        })?;
 
         let kh = KeyHandle::X509Key {
             private: private.clone(),
diff --git a/tools/cli/src/cli/oauth2.rs b/tools/cli/src/cli/oauth2.rs
index 3130a8d69..65f0f39c5 100644
--- a/tools/cli/src/cli/oauth2.rs
+++ b/tools/cli/src/cli/oauth2.rs
@@ -1,8 +1,8 @@
+use crate::common::OpType;
+use crate::{handle_client_error, Oauth2Opt, OutputMode};
 use anyhow::{Context, Error};
 use std::fs::read;
 use std::process::exit;
-use crate::common::OpType;
-use crate::{handle_client_error, Oauth2Opt, OutputMode};
 
 use crate::Oauth2ClaimMapJoin;
 use kanidm_proto::internal::{ImageValue, Oauth2ClaimMapJoin as ProtoOauth2ClaimMapJoin};
@@ -301,10 +301,7 @@ impl Oauth2Opt {
             Oauth2Opt::RemoveImage(nopt) => {
                 let client = nopt.copt.to_client(OpType::Write).await;
 
-                match client
-                    .idm_oauth2_rs_delete_image(nopt.name.as_str())
-                    .await
-                {
+                match client.idm_oauth2_rs_delete_image(nopt.name.as_str()).await {
                     Ok(_) => println!("Success"),
                     Err(e) => handle_client_error(e, nopt.copt.output_mode),
                 }