Code review comment for ~bryce/ubuntu/+source/ssl-cert:ssl-cert-sru-lp1853021-hirsute

Should we also lower the default validity of the certificate to something like 800 days as part of this change? This would address the specific issue raised by LP: #1853021, and I think it makes sense to have defaults that produce certificates that are compatible with browsers.

(Should we *only* lower the cert validity if Debian is slow/unresponsive, instead of adding --expiration-days in a delta? The risk I see is Debian implementing the same in a different way, and ending up with two different interfaces that are difficult to reconcile and that could require even more deltas in other packages.)