docs: update certificate rotation warning

jackhodgkiss · jackhodgkiss · commit d0629211643e · 2025-07-21T15:58:05.000+01:00
The original section stated that if the overcloud certificate expired it
would not have any impact the cloud however this is not true and will
cause issues with Barbican if integrated.
diff --git a/doc/source/configuration/openbao.rst b/doc/source/configuration/openbao.rst
@@ -110,10 +110,8 @@ Setup OpenBao HA on the overcloud hosts
 Rotating OpenBao certificate on the overcloud hosts
 ---------------------------------------------------
 
-The certificate for the overcloud OpenBao has an expiry time of one year. While
-the cloud won't break if this expires, it will need rotating before new
-certificates can be generated for internal PKI. If a OpenBao becomes sealed, it
-cannot be unsealed with an expired certificate.
+The certificate for the overcloud OpenBao has an expiry time of one or two years.
+This will be problematic if anything needs to interact with the OpenBao API such as issuing new certificates or Barbican integration.
 
 1. Delete the old certificate:
 
diff --git a/doc/source/configuration/vault.rst b/doc/source/configuration/vault.rst
@@ -117,10 +117,8 @@ Setup Vault HA on the overcloud hosts
 Rotating Vault certificate on the overcloud hosts
 -------------------------------------------------
 
-The certificate for the overcloud vaults has an expiry time of one year. While
-the cloud won't break if this expires, it will need rotating before new
-certificates can be generated for internal PKI. If a vault becomes sealed, it
-cannot be unsealed with an expired certificate.
+The certificate for the overcloud Vault has an expiry time of one or two years.
+This will be problematic if anything needs to interact with the Vault API such as issuing new certificates or Barbican integration.
 
 1. Delete the old certificate:
 
