diff --git a/agent/connect/ca/provider.go b/agent/connect/ca/provider.go
index 6f40e7b97f8e..2ef34228bc48 100644
--- a/agent/connect/ca/provider.go
+++ b/agent/connect/ca/provider.go
@@ -135,8 +135,11 @@ type PrimaryProvider interface {
 	// provider.
 	//
 	// Depending on the provider and its configuration, GenerateCAChain may return
-	// a single root certificate or a chain of certs. The provider should return an
-	// existing CA chain if one exists or generate a new one and return it.
+	// a single root certificate or a chain of certs.
+	// The first certificate must be the primary CA used to sign intermediates for
+	// secondary datacenters, and the last certificate must be the trusted CA.
+	// The provider should return an existing CA chain if one exists or generate a
+	// new one and return it.
 	GenerateCAChain() (string, error)
 
 	// SignIntermediate will validate the CSR to ensure the trust domain in the
diff --git a/agent/structs/connect_ca.go b/agent/structs/connect_ca.go
index 63543fd87e1d..c8a7cea1df8a 100644
--- a/agent/structs/connect_ca.go
+++ b/agent/structs/connect_ca.go
@@ -17,8 +17,8 @@ import (
 )
 
 const (
-	DefaultLeafCertTTL         = "15min"
-	DefaultIntermediateCertTTL = "1h"     // ~ 1 year = 365 * 24h
+	DefaultLeafCertTTL         = "72h"
+	DefaultIntermediateCertTTL = "8760h"  // ~ 1 year = 365 * 24h
 	DefaultRootCertTTL         = "87600h" // ~ 10 years = 365 * 24h * 10
 )
 
@@ -433,12 +433,12 @@ type CommonCAProviderConfig struct {
 	PrivateKeyBits int
 }
 
-var MinLeafCertTTL = time.Minute
+var MinLeafCertTTL = time.Hour
 var MaxLeafCertTTL = 365 * 24 * time.Hour
 
 // intermediateCertRenewInterval is the interval at which the expiration
 // of the intermediate cert is checked and renewed if necessary.
-var IntermediateCertRenewInterval = 30 * time.Minute
+var IntermediateCertRenewInterval = time.Hour
 
 func (c CommonCAProviderConfig) Validate() error {
 	if c.SkipValidate {