diff --git a/yubikey-ca-java/README.md b/yubikey-ca-java/README.md
index 7627600..a3a9c71 100644
--- a/yubikey-ca-java/README.md
+++ b/yubikey-ca-java/README.md
@@ -13,7 +13,7 @@ $ java -jar yubikey-ca-java.jar --generate-keypair --keypair-type secp256r1
 
 ```shell
 $ java -jar yubikey-ca-java.jar --issue-root-ca \
-       --sign-slot 88 --subject 'CN=Hatter Yubikey EC Root CA' \
+       --sign-slot 88 --subject 'CN=Hatter EC Root CA' \
        --pin ****** \
        [--add-to-remote]
 ```
@@ -22,8 +22,8 @@ $ java -jar yubikey-ca-java.jar --issue-root-ca \
 
 ```shell
 $ java -jar yubikey-ca-java.jar --issue-intermediate-ca \
-       --sign-slot 88 --subject 'CN=Hatter Yubikey EC Intermediate CA' \
-       --cert-slot 89 --root-ca-id 39 \
+       --sign-slot 88 --subject 'CN=Hatter EC Intermediate CA' \
+       --cert-slot 89 --root-ca-id 43 \
        --pin ****** \
        [--add-to-remote]
 ```
@@ -33,7 +33,7 @@ $ java -jar yubikey-ca-java.jar --issue-intermediate-ca \
 ```shell
 $ java -jar yubikey-ca-java.jar --issue-server-ca \
        --sign-slot 89 --subject 'CN=hatter-test' \
-       --intermediate-ca-id 40 --keypair-type secp256r1 \
+       --intermediate-ca-id 44 --keypair-type secp256r1 \
        --dns-name a.example.com --dns-name b.example.com \
        --pin ****** \
        [--add-to-remote]
@@ -44,7 +44,7 @@ $ java -jar yubikey-ca-java.jar --issue-server-ca \
 ```shell
 $ java -jar yubikey-ca-java.jar --issue-client-ca \
        --sign-slot 89 --subject 'CN=hatter-test' \
-       --intermediate-ca-id 40 --keypair-type secp256r1 \
+       --intermediate-ca-id 44 --keypair-type secp256r1 \
        --pin ****** \
        [--add-to-remote]
 ```
diff --git a/yubikey-ca-java/src/main/java/me/hatter/tools/yubikeyca/YubikeyCaArgs.java b/yubikey-ca-java/src/main/java/me/hatter/tools/yubikeyca/YubikeyCaArgs.java
index 60769c1..85694a8 100644
--- a/yubikey-ca-java/src/main/java/me/hatter/tools/yubikeyca/YubikeyCaArgs.java
+++ b/yubikey-ca-java/src/main/java/me/hatter/tools/yubikeyca/YubikeyCaArgs.java
@@ -59,6 +59,9 @@ public class YubikeyCaArgs {
     @Option(names = {"--add-to-remote"}, description = "Add certificate to remote")
     boolean addToRemote = false;
 
+    @Option(names = {"--valid-years"}, description = "Certificate valid years")
+    Integer validYears;
+
     @Option(names = {"-h", "--help"}, usageHelp = true, description = "Display a help message")
     boolean helpRequested = false;
 
diff --git a/yubikey-ca-java/src/main/java/me/hatter/tools/yubikeyca/YubikeyCaMain.java b/yubikey-ca-java/src/main/java/me/hatter/tools/yubikeyca/YubikeyCaMain.java
index 6ad9ba9..7c7663d 100644
--- a/yubikey-ca-java/src/main/java/me/hatter/tools/yubikeyca/YubikeyCaMain.java
+++ b/yubikey-ca-java/src/main/java/me/hatter/tools/yubikeyca/YubikeyCaMain.java
@@ -72,7 +72,7 @@ public class YubikeyCaMain {
                 .subject(args.subject)
                 .signCert(interCertificate)
                 .certPubKey(keyPair.getPublic())
-                .validYears(2)
+                .validYears(validYears(args, 2))
                 .customerSigner(new CardCliPivCustomerSigner(
                         args.pin, args.signSlot, signPivMeta.getAlgorithm(), cardCliCmd));
 
@@ -113,7 +113,7 @@ public class YubikeyCaMain {
                 .subject(args.subject)
                 .signCert(rootCertificate)
                 .certPubKey(certPivMeta.getPublicKey())
-                .validYears(10)
+                .validYears(validYears(args, 10))
                 .customerSigner(new CardCliPivCustomerSigner(
                         args.pin, args.signSlot, certPivMeta.getAlgorithm(), cardCliCmd))
                 .createIntermediateCert();
@@ -134,7 +134,7 @@ public class YubikeyCaMain {
         final X509Certificate rootCa = CertificateAuthority.instance()
                 .subject(args.subject)
                 .certPubKey(signPivMeta.getPublicKey())
-                .validYears(40)
+                .validYears(validYears(args, 40))
                 .customerSigner(new CardCliPivCustomerSigner(
                         args.pin, args.signSlot, signPivMeta.getAlgorithm(), cardCliCmd))
                 .createCA();
@@ -184,4 +184,8 @@ public class YubikeyCaMain {
         }
         return pkType;
     }
+
+    private static int validYears(YubikeyCaArgs args, int validYears) {
+        return (args.validYears != null) ? args.validYears : validYears;
+    }
 }
diff --git a/yubikey-ca-java/src/main/java/me/hatter/tools/yubikeyca/cardcli/CardCliUtil.java b/yubikey-ca-java/src/main/java/me/hatter/tools/yubikeyca/cardcli/CardCliUtil.java
index 4d15817..f909681 100644
--- a/yubikey-ca-java/src/main/java/me/hatter/tools/yubikeyca/cardcli/CardCliUtil.java
+++ b/yubikey-ca-java/src/main/java/me/hatter/tools/yubikeyca/cardcli/CardCliUtil.java
@@ -5,7 +5,6 @@ import com.alibaba.fastjson.JSONObject;
 import me.hatter.tools.commons.assertion.AssertUtil;
 import me.hatter.tools.commons.bytes.Bytes;
 import me.hatter.tools.commons.collection.CollectionUtil;
-import me.hatter.tools.commons.collection.Tuple2;
 import me.hatter.tools.commons.io.IOUtil;
 import me.hatter.tools.commons.log.LogTool;
 import me.hatter.tools.commons.log.LogTools;
@@ -13,7 +12,6 @@ import me.hatter.tools.commons.security.key.KeyUtil;
 import me.hatter.tools.commons.string.StringUtil;
 
 import java.nio.charset.StandardCharsets;
-import java.security.PublicKey;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.List;