Begin issuing certificates with a validity period less than 10 days

[aarongable]

This bug is an umbrella/tracking bug, acting as a one-stop-shop to see progress on the multiple sub-tasks necessary to achieve this 2024 OKR.

Prerequisities:

• Allow clients to select a "profile" via ACME API query parameters #7309

Subtasks:

• CA: certificate validity period should be per-profile instead of per-CA #7339
• Teach the CA to omit revocation information for certificates with validity periods less than 10 days
• Teach the CA to automatically change that criterion to 7 days shortly prior to 2026-03-15
• Optional: Restrict certain profiles to allow-lists of registration IDs, to allow slow controlled roll-out
• Configure a profile which sets a validity period of less than 10 days (and any other changes we want to bundle) in Staging
• Configure the same profile in prod

[orangepizza]

if LE do short life certificate from same intermediate CA with normal 90 days cert, it's CRL UpdatePeriod need to be reduced to 4 days, because making short live certificate makes that CA signed cert without OCSP endpoint
CA/B TLS BR 4.9.7

1. MUST update and publish a new CRL at least every: - seven (7) days if all Certificates include an
   Authority Information Access extension with an id-ad-ocsp accessMethod (“AIA OCSP pointer”); or -
   four (4) days in all other cases; 2

[aarongable]

Let's Encrypt currently publishes a new version of each CRL shard every 6 hours.