Expiry time when UseX509Certificate is set to true

[AndersAbel]

When we create an X509Certificate2 to wrap our keys when UseX509Certificate is set to true, we use the configured expiry lifetime of the keys as the certificate's expiry time.

If the key lifetime (rotation interval) is then increased that will let the current keys live for longer. However, the expiry time captured in the certificate will now not be honoured. We will continue to the use the key beyond that time, which is confusing.

The JWK spec does not mention the expiry time. It does however state that

If other members are present, the contents of those members MUST be
semantically consistent with the related fields in the first
certificate.

If all information in the certificate should be consistent with they key data and usage, then we should not continue using a certificate beyond it's lifetime. Updating the certificate when the lifetime changes is non-trivial; the certificates would not be the same and that could cause issues with key lookup.

This is an edge case, but the right thing to do would probably be to take the X5C expiry time into consideration when deciding when to create a new key.