The "sanity check" in CertificateAuthority::_signCSR() does not allow me to sign a certificate with expired validity or a certificate that will be valid in the future, because validation at the moment must succeed at the end of the function. Anything that is not valid at the moment of the signature can not be signed.