Improve handling for certificates with short lives
    
    Make a few changes to better handle cases where the lifetimes of issued
    certificates are shorter:
    * Add 12, 6, 2, and 1 hour from the not-valid-after time to the default
      TTL list.
    * Instead of defaulting to half the remaining validity period, and then
      clamping to a range as the interval until we next look at the
      certificate and check if we crossed a TTL threshold, start with the
      default, try to replace it with just after the next time we expect to
      cross a TTL threshold, and clamp that.  This should keep us from being
      blindsided by a manual replacement, while staying more predictable,
      especially as the remaining validity period shrinks to very small
      amount.