diff --git a/manifests/fetchcrl.pp b/manifests/fetchcrl.pp
index 21a119b709f2b62b421c2c602598112811787888..4139c3747c512783b8175c028561cd87c5da5d5c 100644
--- a/manifests/fetchcrl.pp
+++ b/manifests/fetchcrl.pp
@@ -12,6 +12,7 @@ class x509certs::fetchcrl
 {
     contain x509certs::fetchcrl::package
     contain x509certs::fetchcrl::cfgdir
+    contain x509certs::fetchcrl::shortcache
     contain x509certs::fetchcrl::service
     contain x509certs::fetchcrl::initial
 }
diff --git a/manifests/fetchcrl/shortcache.pp b/manifests/fetchcrl/shortcache.pp
new file mode 100644
index 0000000000000000000000000000000000000000..7170678c294e3ebd01e83d5d8e7795ea53e021c4
--- /dev/null
+++ b/manifests/fetchcrl/shortcache.pp
@@ -0,0 +1,39 @@
+# Copyright © 2023      National Supercomputer Centre,
+#                       Linköping University, Sweden
+# Licensed under the GNU LGPL v3+; see the README file for more information.
+
+
+# Internal helper for x509certs::fetchcrl class.
+#
+# This class sets the maxcachetime option in the general section to
+# some resonably short time (default 1 hour).  That is done to work
+# around breakage in fetch-crl's caching logic, where it can otherwise
+# keep using an old CRL up until it expires.  This can happen when the
+# web server publishing the CRL sets the Expire: header to the same as
+# the nextUpdate field in the CRL.  If fetch-crl then runs slightly
+# before the CRL expires, it will use its cached CRL instead of down-
+# loading a fresh CRL from the source.  And then just a few minutes
+# later, the CRL expires, but the fetch-crl cron job doesn't run again
+# until several hours later (the default cron job runs every six hours).
+#
+# By setting a short maxcachetime, we increase the likelyhood that
+# fetch-crl actually runs and downloads a new CRL before the old CRL
+# expires.
+#
+# We set the maxcachetime option in the main /etc/fetch-crl.conf
+# config file, so users can override the option using a normal
+# x509certs::fetchcrl::option resource declaration.
+#
+class x509certs::fetchcrl::shortcache($maxcachetime = 1*60*60)
+{
+    ensure_line {
+	'x509certs::fetchcrl::shortcache':
+	    file => '/etc/fetch-crl.conf',
+	    line => "maxcachetime = ${maxcachetime}",
+	    pattern => '^maxcachetime(\s*=.*)?$',
+	    # This makes sure the line is added before any trust anchor section
+	    where => '^(\s*\[.*|\s*$|\s*[^#;].*)',
+	    addhow => 'prepend',
+	    notify => Class['x509certs::fetchcrl::initial'];
+    }
+}