Allow Expired Certs Per Identity Once

[andrewpmartinez]

[qrkourier]

Is this aimed at recovering from a condition where a client cert's expired, to allow renewal, or is this more about changing the internal model such that client cert expiry can be enforced on a per-identity basis, or both?

[andrewpmartinez]

1. SDKs can extend their certs, but don't. As the capability becomes implemented clients will begin to do so. This allows someone to enforce cert expiration w/o losing existing clients.
2. It could also be used for recovery scenarios.