It is not something uncommon when you have multiple CA certificates with same Subject and Public Key and different times. Here is a picture from the internet that shows such scenario:
![enter image description here](https://cdn.statically.io/img/i.sstatic.net/nFxF8.png)
If validation function has access to both (or multiple if any) CA certificates, it will build a separate chain for matching issuer and validate each independently. If we look to an image, then the following chains will be constructed:
- Server cert -> LE Authority X3 -> ISRG Root X1
- Server cert -> LE Authority X3 -> IdentTrust DST Root CA X3
Your scenario is very similar to LE Authority X3
intermediate certificate. When all chains are constructed and validated, validation engine performs "best" chain selection based on certain criteria. In your case, for some time one chain will be valid and second will be invalid, so best chain selection is easy: validation function will use valid chain and discard invalid.
If validation function produced multiple valid chains, the function applies additional logic (or weights) in order to select "best" chain among multiple valid chains. That is, if validation function has access to both, valid and not-yet-valid issuers, then you shouldn't face any issues, because validation function will return a chain with valid issuer to the caller.
UPDATE:
it seems I didn't clearly understood the question which was about:
Is out there any problem if a CA "not before" is later that the "not before" of a certificate it signed?
it depends. If current (validation) time is within certificate's validity period, then it is considered time-valid. Let's say, you set CA validity from Apr 1, 2024
to Apr 1, 2025
and signed certificate is valid from Mar 19, 2024
to Jun 1, 2024
, then validation result will depend on when you run this validation.
- You execute validation on
Mar 20, 2024
. Current time is within leaf cert's validity period. Leaf cert is ok. Current time is outside of issuer's validity period. Not all certificates are within their validity periods, chain is not time-valid and certificate validation function should fail.
- You execute validation on
Apr 2, 2024
. Current time is within leaf cert's validity period. Leaf cert is ok. Current time is within issuer's validity period. Issuer is ok. All certificates are within their validity periods, entire chain is time-valid and validation function can proceed with other checks if necessary.
That is, retrospective certificate's time validity isn't checked at all. What matters -- if all certs are within their validity periods at validation time point. What was in the past -- no one cares.
And just to reiterate: it is valid scenario when leaf certificate's NotBefore
is earlier than issuer's NotBefore
or NotAfter
is after issuer's NotAfter
times. Leaf certificate contains only references of matching issuer cert, such as public key hash (via SKI extension) and Issuer field. No one prevents you to have multiple certificates with same public key (and hash) and Subject field. It happens all the time when you renew CA certificate with same key pair. During renewals, only serial number and validity periods are changed. Public key and Subject of the issuer is not changed.