Comment by lmz
While we're on the subject of cert lifetimes. Is there a longer lived, public CA-issued cert for TLS client purposes?
I sometimes deal with a relying party that insists on public CA issued certs for TLS client use, and then makes rotation very painful behind a portal with 2FA etc. This would be fine if public CAs issued certs for 5 years but they seem to be limited to 1 year now because of browser policy.
Server certs will be losing the clientAuth EKU this year, so those will be out. SMIME certs may start to drop it too. I don’t know many CAs that will do a clientAuth only cert from a public CA, largely because it’s unnecessary. If it’s for auth, use a private CA.