// however citatel won't rotate if that happens
	delta := certChain.NotAfter.Sub(t0.Add(ca.defaultCertTTL))
	if delta >= time.Second*2 {
		t.Errorf("Invalid default cert TTL, should be the same as cert chain: %v VS (expected) %v",
			t0.Add(ca.defaultCertTTL),
			certChain.NotAfter)
	}
}

func TestSignCSR(t *testing.T) {
	subjectID := "spiffe://example.com/ns/foo/sa/bar"

						Duration: time.Hour * 1,
					},
				},
			},
			expectedConfig: &pkiutil.CertConfig{
				Config: certutil.Config{
					NotBefore: now.Add(-backdate),
				},
				NotAfter: now.Add(time.Hour * 1)},
		},
		{
			name: "CA cert validity is set",
			cert: &KubeadmCert{
				CAName:       "",
				creationTime: now,
			},
			cfg: &kubeadmapi.InitConfiguration{

		return
	}

	// Asserts the clientCert is signed by the signinCa
	certstestutil.AssertCertificateIsSignedByCa(t, currentClientCert, signinCa)

	// Assert the clientCert has expected NotAfter
	certstestutil.AssertCertificateHasNotAfter(t, currentClientCert, expectedNotAfter)

	// Asserts the clientCert has ClientAuth ExtKeyUsage
	certstestutil.AssertCertificateHasClientAuthUsage(t, currentClientCert)

                    value = "cash.app",
                  ),
                ),
              ),
            validity =
              Validity(
                notBefore = 0L,
                notAfter = 1000L,
              ),
            subject =
              listOf(
                listOf(
                  AttributeTypeAndValue(
                    type = COMMON_NAME,

		}
		for _, c := range x509Cert {
			log.Infof("x509 cert - Issuer: %q, Subject: %q, SN: %x, NotBefore: %q, NotAfter: %q",
				c.Issuer, c.Subject, c.SerialNumber,
				c.NotBefore.Format(time.RFC3339), c.NotAfter.Format(time.RFC3339))
		}
	}

	log.Info("Istiod certificates are reloaded")
	s.certMu.Lock()
	s.istiodCert = &keyPair
	s.certMu.Unlock()
	return nil

			}

			// now we check to see if the signer honored the requested duration
			certificate := certs[0]
			wantDuration := csr.ExpirationSecondsToDuration(*oldCSR.Spec.ExpirationSeconds)
			actualDuration := certificate.NotAfter.Sub(certificate.NotBefore)
			if isDurationHonored(wantDuration, actualDuration) {
				honored.WithLabelValues(signer).Inc()
			}
		}, nil
	}
}

func isDurationHonored(want, got time.Duration) bool {

		},
		"TTL error": {
			privPem:        []byte(key),
			certChainPem:   []byte(certChain),
			rootCertPem:    []byte(rootCert),
			expectedFields: extKeyUsage,
			expectedErr:    "unexpected value for 'NotAfter' - 'NotBefore'",
		},
		"extKeyUsage error": {
			privPem:        []byte(key),
			certChainPem:   []byte(certChain),
			rootCertPem:    []byte(rootCert),
			expectedFields: ttl,

		return false, nil
	}
	now := time.Now()
	for _, cert := range certs {
		if now.After(cert.NotAfter) {
			utilruntime.HandleError(fmt.Errorf("part of the existing bootstrap client certificate in %s is expired: %v", kubeconfigPath, cert.NotAfter))
			return false, nil
		}
	}
	return true, nil
}

						Value: "Gopher",
					},
					// This should override the Country, above.
					{
						Type:  []int{2, 5, 4, 6},
						Value: "NL",
					},
				},
			},
			NotBefore: time.Unix(1000, 0),
			NotAfter:  time.Unix(100000, 0),

			SignatureAlgorithm: test.sigAlgo,

			SubjectKeyId: []byte{1, 2, 3, 4},
			KeyUsage:     KeyUsageCertSign,

			ExtKeyUsage:        testExtKeyUsage,

	if len(k.CAName) != 0 {
		if ic.ClusterConfiguration.CertificateValidityPeriod != nil {
			k.config.NotAfter = k.creationTime.
				Add(ic.ClusterConfiguration.CertificateValidityPeriod.Duration)
		}
	} else {
		if ic.ClusterConfiguration.CACertificateValidityPeriod != nil {
			k.config.NotAfter = k.creationTime.
				Add(ic.ClusterConfiguration.CACertificateValidityPeriod.Duration)
		}
	}