IIUC we currently renew certificates that are due to expire 60 days in advance during engine-setup for engine certs and CA 30 days (vdc_option CertExpirationAlertPeriodInDays) for host certs (during Host Upgrade) We can renew sooner than that (with bz# 2079835, bz# 2079799), a 365 days in advance, to make sure that we don't get into a situation that certificates expire when there are no host upgrades available. Since our current validity is 13 months this will make sure that practically all these certs are reissued the first time this changed code runs.
engine-setup: (after 1 year when engine certificates are about to expire) - One or more of the certificates should be renewed, because they expire soon, or include an invalid expiry date, or they were created with validity period longer than 398 days, or do not include the subjectAltName extension, which can cause them to be rejected by recent browsers and up to date hosts. host-upgrade: during enrolling certificates or host upgrade, relevant certificates were renewed - new certificates have additional 5 years of validity. Verified in ovirt-engine-4.5.0.7-0.9.el8ev.noarch