[edited: but since I also want to have host certs that are on various internal servers, the short validity applies to them]