diff --git a/CHANGES b/CHANGES
index 69cec73f5..5404da01d 100644
--- a/CHANGES
+++ b/CHANGES
@@ -2116,3 +2116,5 @@
 
 [6.0.0]
 * Focal support
+* Reduce duration of self-signed certs to 800 days
+
diff --git a/src/reverseproxy.js b/src/reverseproxy.js
index b952ffe19..25e58e536 100644
--- a/src/reverseproxy.js
+++ b/src/reverseproxy.js
@@ -186,7 +186,8 @@ function generateFallbackCertificateSync(domainObject) {
     opensslConfWithSan = `${opensslConf}\n[SAN]\nsubjectAltName=DNS:${domain},DNS:*.${cn}\n`;
     let configFile = path.join(os.tmpdir(), 'openssl-' + crypto.randomBytes(4).readUInt32LE(0) + '.conf');
     safe.fs.writeFileSync(configFile, opensslConfWithSan, 'utf8');
-    let certCommand = util.format(`openssl req -x509 -newkey rsa:2048 -keyout ${keyFilePath} -out ${certFilePath} -days 3650 -subj /CN=*.${cn} -extensions SAN -config ${configFile} -nodes`);
+    // the days field is chosen to be less than 825 days per apple requirement (https://support.apple.com/en-us/HT210176)
+    let certCommand = util.format(`openssl req -x509 -newkey rsa:2048 -keyout ${keyFilePath} -out ${certFilePath} -days 800 -subj /CN=*.${cn} -extensions SAN -config ${configFile} -nodes`);
     if (!safe.child_process.execSync(certCommand)) return { error: new BoxError(BoxError.OPENSSL_ERROR, safe.error.message) };
     safe.fs.unlinkSync(configFile);
 
@@ -657,7 +658,8 @@ function writeDefaultConfig(options, callback) {
         debug('writeDefaultConfig: create new cert');
 
         const cn = 'cloudron-' + (new Date()).toISOString(); // randomize date a bit to keep firefox happy
-        if (!safe.child_process.execSync(`openssl req -x509 -newkey rsa:2048 -keyout ${keyFilePath} -out ${certFilePath} -days 3650 -subj /CN=${cn} -nodes`)) {
+        // the days field is chosen to be less than 825 days per apple requirement (https://support.apple.com/en-us/HT210176)
+        if (!safe.child_process.execSync(`openssl req -x509 -newkey rsa:2048 -keyout ${keyFilePath} -out ${certFilePath} -days 800 -subj /CN=${cn} -nodes`)) {
             debug(`writeDefaultConfig: could not generate certificate: ${safe.error.message}`);
             return callback(new BoxError(BoxError.OPENSSL_ERROR, safe.error));
         }