But the argument I was replying to was saying that the main advantage of short expiration times is that it encourages companies to automate the process, which reduces the chance that the certificate is accidentally allowed to expire. This is not a security issue for anyone, least of all people using browsers.

Plus, this concept that short expiration times increase security is suspect at best. If the private key leaked, 45 days is far too long, you'd need to reduce this to hours to actually help as a revocation strategy. And even then, chances are that the new key will leak as well right away, as it's most likely that the key was stolen by some undetected malware. And if the key didn't leak, a two year old cert is just as secure as a two minute old one.

> This is not a security issue for anyone, least of all people using browsers.

I disagree. The smooth running and ease of automation of TLS certs benefits the entire ecosystem, including the end-users. Remember when the only sites that had TLS certs were the ones that could afford it?

> If the private key leaked, 45 days is far too long, you'd need to reduce this to hours to actually help as a revocation strategy.

This is a good example of the Nirvana Fallacy.

> And even then, chances are that the new key will leak as well right away, as it's most likely that the key was stolen by some undetected malware.

No certificate expiry control can protect against continuous, undetectable data exfiltration. Meanwhile, a one-time access that grants me the ability to impersonate you for 2 years is a significantly worse situation than one that only grants me that ability for a few weeks.