Reject certificates that are valid for too long.

This is in conformance with the CA/Browser Forum Baseline Requirements for
certificate issuance.

This CL is adapted from a diff provided by sigbjorn@opera.com. Thanks!

BUG=119211
TBR=phajdan.jr@chromium.org

Review URL: https://codereview.chromium.org/724543002

Cr-Commit-Position: refs/heads/master@{#313603}
26 files changed