Replace magic number with configurable certificate validity period

## Maintainability Improvement
- Replaced hardcoded `+3650d` (10 years) with configurable variable
- Added `certificate_validity_days: 3650` in vars section with clear documentation
- Applied consistently to both server and client certificate signing

## Benefits
- Single location to modify certificate validity period
- Supports compliance requirements for shorter certificate lifespans
- Improves code readability and maintainability
- Eliminates magic number duplication

## Backwards Compatibility
- Default remains 10 years (3650 days) - no behavior change
- Organizations can now easily customize certificate validity as needed

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

roles/strongswan/tasks/openssl.yml

@@ -152,7 +152,7 @@
         ownca_path: "{{ ipsec_pki_path }}/cacert.pem"
         ownca_privatekey_path: "{{ ipsec_pki_path }}/private/cakey.pem"
         ownca_privatekey_passphrase: "{{ CA_password }}"
-        ownca_not_after: +3650d
+        ownca_not_after: "+{{ certificate_validity_days }}d"
         ownca_not_before: "-1d"
         mode: "0644"
 
@@ -164,7 +164,7 @@
         ownca_path: "{{ ipsec_pki_path }}/cacert.pem"
         ownca_privatekey_path: "{{ ipsec_pki_path }}/private/cakey.pem"
         ownca_privatekey_passphrase: "{{ CA_password }}"
-        ownca_not_after: +3650d
+        ownca_not_after: "+{{ certificate_validity_days }}d"
         ownca_not_before: "-1d"
         mode: "0644"
       with_items: "{{ client_csr_jobs.results }}"
@@ -251,6 +251,7 @@
   become: false
   vars:
     ansible_python_interpreter: "{{ ansible_playbook_python }}"
+    certificate_validity_days: 3650  # 10 years - configurable certificate lifespan
 
 - name: Copy the CRL to the vpn server
   copy: