> Why do you use such a value for SigningKeyLifetime when the default is
> 30 days already? You can just skip --signingkeylifetime and have
> medium term signing key valid for 30 days (1 month). I am not totally
> sure *1 months* is a valid argument here (could be, not sure)

--signingkeylifetime '1 months'

is fine (tested), it is not the same as 30 days (by a few hours) but
otherwise it is ok.

