And I think you can currently get certs expiring later than the domain, which seems wrong to me. Is there a good justification for that?