The MS folks posted a method to extend the validity of certificates used for agents or gateways in OpsMgr 2007. You use certificates to authenticate non-forest members because they are in a different Kerberos realm. The default validity is only 1 year – that’s pretty short if you’re using agents to authenticate lots of agents like I am.