I should have written something along the lines of "validity date ranges" instead of expiration: you're much more likely to run into problems where you run into a certificate that was issued in the future relative to when you think is now.