Currently our internal CA is always issued for 10 years during the initial engine-setup. This carries over upgrades and on old enough installations we can get close to expiration. We don't have an easy way how to replace internal CA without complete downtime, and running over the expiration date leads to a complete cease of communication between all oVirt components. 20 years sounds slightly better
best to apply to QEMU CA as well. Not that VMs stick around running for such a long time, but just so we don't differ and don't have to renew at different times.
Verified in ovirt-engine-4.5.0.7-0.9.el8ev.noarch # openssl x509 -text -in ca.pem .... Validity Not Before: May 11 13:54:00 2022 GMT Not After : May 7 13:54:00 2042 GMT ....