worker.ign certificate notAfter date in a new cluster

Hi,

I have a question on this. Looking at the the certificate I extracted from worker.ign file of a new cluster I provisioned using ocp 4.6, has dates notBefore and notAfter set as :

kuldips-mbp:temp kuldip.nanda$ jq .ignition.security.tls.certificateAuthorities[].source ./worker.ign |             sed -n -e  's/^\"data:text\/plain;charset=utf-8;base64,\(.*\)\"/\1/p' |             base64 --decode > ./data.pem

kuldips-mbp:temp kuldip.nanda$ openssl x509 -noout -in data.pem -dates
  notBefore=Jan 13 19:35:57 2021 GMT
  notAfter=Jan 11 19:35:57 2031 GMT

How do I determine if the certificate is expired or not. Should the notAfter date be

notAfter=Jan 14 19:35:57 2021 GMT

as in the newly created cluster, CSR is valid only for 24 hrs.

Not sure, if I am determine the dates correctly from the certificate, looking for your advise in this. If this is not correct, what is another way to determine the certificate validity.

Thanks in advance.

Regards Kuldip