Improve handling for certificates with short lives
Make a few changes to better handle cases where the lifetimes of issued
certificates are shorter:
* Add 12, 6, 2, and 1 hour from the not-valid-after time to the default
TTL list.
* Instead of defaulting to half the remaining validity period, and then
clamping to a range as the interval until we next look at the
certificate and check if we crossed a TTL threshold, start with the
default, try to replace it with just after the next time we expect to
cross a TTL threshold, and clamp that. This should keep us from being
blindsided by a manual replacement, while staying more predictable,
especially as the remaining validity period shrinks to very small
amount.