[harshreality]

You usually can't, for several reasons.

Self-signed certs won't fly for public-facing websites.

CAs simply won't issue for more than 3 years, typically. They want to make money, and the easiest way to make more money is to make certificate lifetimes short.

There's an arguable security concern. If a site's cert gets compromised and it's not detected, having a shorter cert lifetime might in some situations prevent the compromise from persisting more than the certificate lifetime. True, if the server is compromised, you can replace certs every year and they'll all be compromised, but if it's a server farm with frequent reinstalls from trusted base media, server compromises won't necessarily persist, and compromised 5+ year website certificates might turn into the weakest link.

If the site must pass periodic scans (for example, by one of those PCI compliance outfits), most of those scanners consider more than 3 years to be "too long" for a cert to be valid. Whether they'd fail the site for that, I don't know.

[fusiongyro]

Ideally, the information in the certificate is vetted by the certificate authority. So, if you have your company name, physical address, and contact info in there, the CA would have actually conducted some checks to make sure that information was correct and not fraudulent before certifying it. That vetting process costs time and money. Unfortunately, nobody can detect whether it has happened so now we have $5 certs that are essentially unvetted (uncertified certificates?) because people are only interested in the encryption component.