By the way, I appreciate the support for short-term certificates as well; Letsencrypt doesn't have it, though invalidation can be detected with OCSP or draft-aaron-acme-ari.