From 9ceb47686eb8b0c21fdeb628baa39c3debdab3eb Mon Sep 17 00:00:00 2001
From: Marko Lisica <83164494+marko-lisica@users.noreply.github.com>
Date: Wed, 19 Nov 2025 22:29:22 +0100
Subject: [PATCH] Document certificate minimum validtity period for automatic
 renewal (#35816)

---
 articles/connect-end-user-to-wifi-with-certificate.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/articles/connect-end-user-to-wifi-with-certificate.md b/articles/connect-end-user-to-wifi-with-certificate.md
index 03444c792e..7a27cca947 100644
--- a/articles/connect-end-user-to-wifi-with-certificate.md
+++ b/articles/connect-end-user-to-wifi-with-certificate.md
@@ -484,6 +484,8 @@ SELECT 1 FROM certificates WHERE path = '/opt/company/certificate.pem' AND not_v
 
 Fleet will automatically renew certificates on Apple (macOS, iOS, iPadOS) hosts 30 days before expiration. If the entire validity period is less than 30 days (e.g. 20 days), Fleet will automatically renew at half the validity period (e.g 10 days). 
 
+Automatic renewal is only supported if the validity period is set to 2 days or longer.
+
 If an end user is on vacation (offline for more than 30 days), their certificate might expire, and they'll lose access to Wi-Fi or VPN. To reconnect them, ask your end users to temporarily connect to a different network so that Fleet can deliver a new certificate.
 
 > Currently, for NDES, Smallstep, and custom SCEP CAs, Fleet requires that the ⁠`$FLEET_VAR_SCEP_RENEWAL_ID` variable is in the certificate's OU (Organizational Unit) for automatic renewal to work. For some CAs, including [NDES](https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/active-directory-domain-services-maximum-limits?utm_source=chatgpt.com#:~:text=OU%20names%20can%20only%20be%2064%20characters%20long.), the OU has a maximum length of 64 characters so any characters beyond this limit get truncated, causing the renewal to fail.