Obfuscate the default certificate validity times
Implement fuzzing of the certificate's 'notBefore' field, so that it's not so apparent that we are creating new certs every 2 hours.
Jake's code generated an 18-bits random number and substracted it from time(NULL). This approach fuzzes 'notBefore' for a maximum of 72 hours approx.
Do we like it? Should we increase it? Should we decrease it? Is there anything we should be careful with, when increasing/decreasing the fuzzing factor?
Since our new advertised MAX_SSL_LIFETIME is 1 year, I would incerase the fuzzing factor, even allowing our maximum fuzzing to be a month or so.