How can you? Sure, if you have just one machine or two it's no big deal. Suppose you have a modern government agency, a business of any real size, etc? You have the web site - no big deal, they just get a warning message. Then there are the Unix based systems that run ldap, san, well most everything. Blade centers for VMs and such. Then the lightweight stuff that feed the dumb people like the Windows domain controllers and such. Things that people don't use much. It's getting to be a real PIA to find all of these frickin' certificates! They aren't even on standard ports to find. We had a san certificate that had a 10 year life blow out recently because we hit the expiration date. Things came to a grinding halt. That one was by IBM and IBM doesn't even own it anymore.
It's a bitch. If you set it so it doesn't halt things, nobody cares. They'll use a decades old expired certificate - which BTW is almost certainly fine. Expire it and things come to a grinding halt, people can't get work done, sometimes people can't even get machines working to the point they can even fix it anytime soon.
I'm just waiting for something like this to happen to say an amusement park on opening day, right on the day some government agency spent a whole bunch of money to promote - say IRS tax day or something. Wouldn't it be hilarious if they have a big march and all the electronic equipment comes to a grinding halt because the certificate was generated in the morning 5 years before and that was the die by date. Just before the big deal.
Imagine self driving cars. Poof, you're really nice super Edison Roadster shuts down entirely and won't do a thing now because the Mr. Reactor has an expired certificate and you're in the Holland Tunnel into NYC. So are other Edison Roadsters all over town, all over the country!