Totally agree with you, but I feel like a sledgehammer approach won't help much - perhaps allowing only the 90-day certs to be managed automatically while still allowing the traditional one-year certs for manual generation only? That way you're still encouraging people to automate (as the process would be a lot easier), but not leaving others out to dry.
Later on, when software's been updated, you could switch entirely to the 90-day cert.
Probably not the ideal situation if you're trying to get people to automate everything, but it seems like a good middle ground.