More specifically: because they cannot be revoked, they need to expire. Same with root certs.