Short lived certificate

Do hosts not *also* get a stable management address, either EUI-64 based on the MAC (ff:fe old style) or the newer RFC7217 "stable privacy" address based on network prefix, interface, SSID, machine UUID? The temporary privacy addresses should be used for outbound connections based on their preferred lifetime but if you run services the management address should be usable, `scope global dynamic mngtmpaddr noprefixroute` vs `scope global temporary dynamic`.