Improved guidance around alerting for root and intermediate cert expiration

[dopey]

Especially important for those circumstances where users choose a reduced lifetime (default is 10yr). The step certificate inspect command does not return root certificates, so it can be difficult to understand which certificate has expired when users receive an invalid certificate error.

smallstep/cli#518