Root CA cert valid for 6y
Root CA CRL valid for 14m
 * need ceremony at least once per y to renew CRL

KC certificates valid for 8m (verify calculation of influence on possible new CA)

CA certs valid for 1y
 Limited certificate depth to 1 (so it can't issue CA)

CA CRL valid for 1d (or even less)

End user / device certificates valid for 3m