diff --git a/api/client/swarm/update.go b/api/client/swarm/update.go
index a26b0d59f2..c3eff5d43d 100644
--- a/api/client/swarm/update.go
+++ b/api/client/swarm/update.go
@@ -18,6 +18,7 @@ type updateOptions struct {
 	secret              string
 	taskHistoryLimit    int64
 	dispatcherHeartbeat time.Duration
+	nodeCertExpiry      time.Duration
 }
 
 func newUpdateCommand(dockerCli *client.DockerCli) *cobra.Command {
@@ -38,6 +39,7 @@ func newUpdateCommand(dockerCli *client.DockerCli) *cobra.Command {
 	flags.StringVar(&opts.secret, "secret", "", "Set secret value needed to accept nodes into cluster")
 	flags.Int64Var(&opts.taskHistoryLimit, "task-history-limit", 10, "Task history retention limit")
 	flags.DurationVar(&opts.dispatcherHeartbeat, "dispatcher-heartbeat", time.Duration(5*time.Second), "Dispatcher heartbeat period")
+	flags.DurationVar(&opts.nodeCertExpiry, "cert-expiry", time.Duration(90*24*time.Hour), "Validity period for node certificates")
 	return cmd
 }
 
@@ -92,5 +94,11 @@ func mergeSwarm(swarm *swarm.Swarm, flags *pflag.FlagSet) error {
 		}
 	}
 
+	if flags.Changed("cert-expiry") {
+		if v, err := flags.GetDuration("cert-expiry"); err == nil {
+			spec.CAConfig.NodeCertExpiry = v
+		}
+	}
+
 	return nil
 }
diff --git a/docs/reference/commandline/swarm_update.md b/docs/reference/commandline/swarm_update.md
index 942a330ea1..afbcf6455e 100644
--- a/docs/reference/commandline/swarm_update.md
+++ b/docs/reference/commandline/swarm_update.md
@@ -22,6 +22,7 @@ parent = "smn_cli"
           --help                            Print usage
           --secret string                   Set secret value needed to accept nodes into cluster
           --task-history-limit int          Task history retention limit (default 10)
+          --cert-expiry duration            Validity period for node certificates (default 2160h0m0s)
 
 Updates a Swarm cluster with new parameter values. This command must target a manager node.