What I've done is generate a cert for the host(s) the user needs, for the time-span they need (subject to authorization logic).