//   - It zeros all extensions.
//   - It sets BasicConstraints to true.
//   - It sets IsCA to false.
//   - It validates that the signer has not expired.
//   - It sets NotBefore and NotAfter:
//     All certificates set NotBefore = Now() - Backdate.
//     Long-lived certificates set NotAfter = Now() + TTL - Backdate.
//     Short-lived certificates set NotAfter = Now() + TTL.

			_, err := v.Validate(context.Background(), "", &jwt.Claims{Expiry: &expiry, NotBefore: &tc.notBefore}, tc.private)
			if len(tc.expectErr) > 0 {
				if errStr := errString(err); tc.expectErr != errStr {
					t.Fatalf("expected error %q but got %q", tc.expectErr, errStr)
				}
			} else if err != nil {

	if isCA {
		keyUsage |= x509.KeyUsageCertSign
	}

	RemoveDuplicateAltNames(&cfg.AltNames)

	notBefore := caCert.NotBefore
	if !cfg.NotBefore.IsZero() {
		notBefore = cfg.NotBefore
	}

	notAfter := notBefore.Add(kubeadmconstants.CertificateValidityPeriod)
	if !cfg.NotAfter.IsZero() {
		notAfter = cfg.NotAfter
	}

	certTmpl := x509.Certificate{

	}

	today := time.Now()
	return SecretMeta{
		SerialNumber: fmt.Sprintf("%x", cert.SerialNumber),
		NotAfter:     cert.NotAfter.Format(time.RFC3339),
		NotBefore:    cert.NotBefore.Format(time.RFC3339),
		Type:         certType,
		Valid:        today.After(cert.NotBefore) && today.Before(cert.NotAfter),
	}, nil

    assertThat(certificate.subjectAlternativeNames).isNull()
    val deltaMillis = 1000.0
    val durationMillis = TimeUnit.MINUTES.toMillis((60 * 24).toLong())
    assertThat(certificate.notBefore.time.toDouble())
      .isCloseTo(now.toDouble(), deltaMillis)
    assertThat(certificate.notAfter.time.toDouble())
      .isCloseTo(now.toDouble() + durationMillis, deltaMillis)
  }

  @Test
  fun customInterval() {

// the expected NotBefore. Truncate (round) expectedNotBefore to 1 second, since the certificate stores
// with seconds as the maximum precision.
func AssertCertificateHasNotBefore(t *testing.T, cert *x509.Certificate, expectedNotBefore time.Time) {
	truncated := expectedNotBefore.Truncate(time.Second)
	if !cert.NotBefore.Equal(truncated) {
		t.Errorf("cert has NotBefore %v, expected %v", cert.NotBefore, truncated)
	}
}

func writeTestCertificate(t *testing.T, dir, name string, caCert *x509.Certificate, caKey crypto.Signer, organization []string, notBefore, notAfter time.Time) *x509.Certificate {
	cert, key, err := pkiutil.NewCertAndKey(caCert, caKey, makeTestCertConfig(organization, notBefore, notAfter))
	if err != nil {
		t.Fatalf("couldn't generate certificate: %v", err)
	}

	}

	template := x509.Certificate{
		SerialNumber: big.NewInt(1),
		Subject: pkix.Name{
			CommonName:   "test",
			Organization: []string{"Σ Acme Co"},
		},
		NotBefore: time.Unix(1000, 0),
		NotAfter:  time.Unix(100000, 0),
		KeyUsage:  x509.KeyUsageCertSign,
	}

	if _, err = x509.CreateCertificate(rand.Reader, &template, &template, &rsaPriv.PublicKey, rsaPriv); err != nil {

	rootTmpl := &x509.Certificate{
		SerialNumber:          big.NewInt(1),
		Subject:               pkix.Name{CommonName: "Go test root"},
		IsCA:                  true,
		BasicConstraintsValid: true,
		NotBefore:             time.Now().Add(-time.Hour),
		NotAfter:              time.Now().Add(time.Hour * 10),
	}
	k, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
	if err != nil {

	for _, s := range secrets {
		if includeConfigType {
			s.Name = fmt.Sprintf("secret/%s", s.Name)
		}
		fmt.Fprintf(tw, "%s\t%s\t%s\t%t\t%s\t%s\t%s\n",
			s.Name, s.Type, s.State, s.Valid, s.SerialNumber, s.NotAfter, s.NotBefore)
	}
	return tw.Flush()
}

// printSecretItemsJSON prints secret in JSON format, and dumps the raw certificate data with the output
func (w *sdsWriter) printSecretItemsJSON(secrets []SecretItem) error {