fix(Certificate): Cap expiry date at issuer's (#430)

Not only is this semantically correct, but it helps with certificate rotation as subjects can simply check their own expiry dates without looking at the rest of the chain.

package.json

@@ -45,6 +45,7 @@
     "@types/verror": "^1.10.5",
     "asn1js": "^2.2.0",
     "buffer-to-arraybuffer": "0.0.6",
+    "date-fns": "^2.28.0",
     "dohdec": "^3.1.0",
     "is-valid-domain": "^0.1.6",
     "moment": "^2.29.1",
@@ -59,7 +60,6 @@
     "@types/asn1js": "2.0.2",
     "@types/jest": "^27.4.1",
     "@types/pkijs": "0.0.12",
-    "date-fns": "^2.28.0",
     "del-cli": "^4.0.1",
     "jest": "^27.5.1",
     "jest-date-mock": "^1.0.8",

src/lib/_test_utils.ts

@@ -42,6 +42,9 @@ interface StubCertConfig {
   readonly subjectPublicKey: CryptoKey;
 }
 
+/**
+ * @deprecated Use {Certificate.issue} instead
+ */
 export async function generateStubCert(config: Partial<StubCertConfig> = {}): Promise<Certificate> {
   const keyPair = await generateRSAKeyPair();
   const futureDate = new Date();