Allow verification with expired CAs #2716
Description
If a CA expires, we should still be able to verify issued certificates and signatures with such CA. The verification process would check that the signature was valid at the time it was created (if the CA wasn't revoked), not at the time it's being verified. This would also apply to any intermediate CA certificate and the root CA certificate.
The fact that the root is expired now doesn't matter, what matters is that it was trusted when the signature was created.