Never create a certificate with expiration later than the minimum expiration of the signing chain.

The certificate will stop being valid as soon as the first certificate in the chain expires. However, if a user is running a `needs-renewal` check against only the leaf certificate in the chain, the check may not trigger even though the certificate bundle  is expiring.