diff --git a/src/actions/actions.py b/src/actions/actions.py
index a9f55be..5213423 100755
--- a/src/actions/actions.py
+++ b/src/actions/actions.py
@@ -84,6 +84,7 @@ def upload_signed_csr(*args):
         allow_any_name=action_config.get('allow-any-name'),
         max_ttl=action_config.get('max-ttl'))
     set_flag('charm.vault.ca.ready')
+    set_flag('pki.backend.tuned')
 
 
 def generate_root_ca(*args):
@@ -104,6 +105,7 @@ def generate_root_ca(*args):
     hookenv.leader_set({'root-ca': root_ca})
     hookenv.action_set({'output': root_ca})
     set_flag('charm.vault.ca.ready')
+    set_flag('pki.backend.tuned')
 
 
 def get_root_ca(*args):
diff --git a/src/lib/charm/vault_pki.py b/src/lib/charm/vault_pki.py
index 04d8e9b..cdc68af 100644
--- a/src/lib/charm/vault_pki.py
+++ b/src/lib/charm/vault_pki.py
@@ -25,8 +25,8 @@ def configure_pki_backend(client, name, ttl=None):
             backend_type='pki',
             description='Charm created PKI backend',
             mount_point=name,
-            # Default ttl to 1 Year
-            config={'max-lease-ttl': ttl or '87600h'})
+            # Default ttl to 10 years
+            config={'max_lease_ttl': ttl or '87600h'})
 
 
 def disable_pki_backend():
@@ -37,6 +37,20 @@ def disable_pki_backend():
         client.disable_secret_backend(CHARM_PKI_MP)
 
 
+def tune_pki_backend(ttl=None):
+    """Assert tuning options for Charm PKI backend
+
+    :param ttl: TTL
+    :type ttl: str
+    """
+    client = vault.get_local_client()
+    if vault.is_backend_mounted(client, CHARM_PKI_MP):
+        client.tune_secret_backend(
+            backend_type='pki',
+            mount_point=CHARM_PKI_MP,
+            max_lease_ttl=ttl or '87600h')
+
+
 def is_ca_ready(client, name, role):
     """Check if CA is ready for use
 
diff --git a/src/reactive/vault_handlers.py b/src/reactive/vault_handlers.py
index 1c2239d..106f081 100644
--- a/src/reactive/vault_handlers.py
+++ b/src/reactive/vault_handlers.py
@@ -743,3 +743,13 @@ def post_series_upgrade():
     """Handler for post-series-upgrade.
     """
     unitdata.kv().set('charm.vault.series-upgrading', False)
+
+
+@when('leadership.is_leader',
+      'charm.vault.ca.ready')
+@when_not('pki.backend.tuned')
+def tune_pki_backend():
+    """Ensure Vault PKI backend is correctly tuned
+    """
+    vault_pki.tune_pki_backend()
+    set_flag('pki.backend.tuned')
diff --git a/src/tests/tests.yaml b/src/tests/tests.yaml
index aa22f23..ce9dc67 100644
--- a/src/tests/tests.yaml
+++ b/src/tests/tests.yaml
@@ -23,5 +23,8 @@ target_deploy_status:
   ceph-osd:
     workload-status: waiting
     workload-status-message: "Incomplete relation: vault"
+  ceph-mon:
+    workload-status: waiting
+    workload-status-message: "Monitor bootstrapped but waiting for number of OSDs to reach expected-osd-count (3)"
 tests:
 - zaza.charm_tests.vault.tests.VaultTest
diff --git a/unit_tests/test_lib_charm_vault_pki.py b/unit_tests/test_lib_charm_vault_pki.py
index b29bf94..660f3e5 100644
--- a/unit_tests/test_lib_charm_vault_pki.py
+++ b/unit_tests/test_lib_charm_vault_pki.py
@@ -25,7 +25,7 @@ class TestLibCharmVaultPKI(unit_tests.test_utils.CharmTestCase):
             ttl=42)
         client_mock.enable_secret_backend.assert_called_once_with(
             backend_type='pki',
-            config={'max-lease-ttl': 42},
+            config={'max_lease_ttl': 42},
             description='Charm created PKI backend',
             mount_point='my_backend')
 
@@ -38,7 +38,7 @@ class TestLibCharmVaultPKI(unit_tests.test_utils.CharmTestCase):
             'my_backend')
         client_mock.enable_secret_backend.assert_called_once_with(
             backend_type='pki',
-            config={'max-lease-ttl': '87600h'},
+            config={'max_lease_ttl': '87600h'},
             description='Charm created PKI backend',
             mount_point='my_backend')
 
@@ -364,3 +364,20 @@ class TestLibCharmVaultPKI(unit_tests.test_utils.CharmTestCase):
                 'admin.local',
                 'public.local']),
             (['10.0.0.10', '10.0.0.20'], ['admin.local', 'public.local']))
+
+    @patch.object(vault_pki.vault, 'get_local_client')
+    @patch.object(vault_pki.vault, 'is_backend_mounted')
+    def test_tune_secret_backend(self,
+                                 is_backend_mounted,
+                                 get_local_client):
+        is_backend_mounted.return_value = True
+        mock_client = mock.MagicMock()
+        get_local_client.return_value = mock_client
+        vault_pki.tune_pki_backend(ttl='3456h')
+        is_backend_mounted.assert_called_with(mock_client,
+                                              vault_pki.CHARM_PKI_MP)
+        mock_client.tune_secret_backend.assert_called_with(
+            backend_type='pki',
+            mount_point=vault_pki.CHARM_PKI_MP,
+            max_lease_ttl='3456h'
+        )
diff --git a/unit_tests/test_reactive_vault_handlers.py b/unit_tests/test_reactive_vault_handlers.py
index 959f375..c1f64c5 100644
--- a/unit_tests/test_reactive_vault_handlers.py
+++ b/unit_tests/test_reactive_vault_handlers.py
@@ -730,3 +730,9 @@ class TestHandlers(unit_tests.test_utils.CharmTestCase):
         tls.new_requests[2].set_cert.assert_has_calls([
             mock.call('crt2', 'key2'),
         ])
+
+    @mock.patch.object(handlers, 'vault_pki')
+    def test_tune_pki_backend(self, vault_pki):
+        handlers.tune_pki_backend()
+        vault_pki.tune_pki_backend.assert_called_once_with()
+        self.set_flag.assert_called_once_with('pki.backend.tuned')