For passwords we have finally agreed that enforcing frequent changes was a bad idea. Because the disadvantages outweigh the advantages. It‘s time to talk about expiring certificates.