The browser warning appears even for a cert issued by a non public CA you have told your browser to trust, and most browsers already enforce a 398 day limit, so unless you have cooperative users, you’re already (effectively) capped at 1 year of validity.

Most browsers do this for certs with a lifetime longer than 398 days issued after 2020, which is one aspect of why so many websites use a 1 year validity period for their certs.

I’m bragging when I say this: A decade ago, I rewrote an indecipherable mess of code into an elegant and transparent procedure, nestled comfortably inside every sanity/insanity check I could think of for the situation. Today, that code (aside from an update for a vulnerable dependency) is still running just the way I wrote it.

Releases should be fast and rare.