Description of problem:
----------------------
The certificate validity range does not conform to the values modified in the HCO CR (which are also propagated to CNAO CR).

Version-Release number of selected component (if applicable):
------------------------------------------------------------
4.9.0-249

How reproducible:
----------------
100%

Steps to Reproduce:
------------------
1. Modify the HCO CR spec.certconfig to:
{
"ca":

{ "duration": "11m", "renewBefore": "10m" }

,
"server":

{ "duration": "11m", "renewBefore": "10m" }

}

2. run the command:
$ oc get secrets -n openshift-cnv ssp-operator-service-cert -ojson | jq -r '.data["tls.crt"]' | base64 -d | openssl x509 -dates -noout

Actual results:
--------------
1. The notAfter is 2 years ahead of notBefore.
2. the notBefore is 1 day earlier from the current date.

Expected results:
----------------
1. The difference should have been 11 minutes.
2. notBefore should be today.

Additional info:
---------------
$ oc get hco kubevirt-hyperconverged -n openshift-cnv -ojson |jq -C '.spec.certConfig'
{
"ca":

{ "duration": "11m", "renewBefore": "10m" }

,
"server":

{ "duration": "11m", "renewBefore": "10m" }

}

$ oc get kubevirt kubevirt-kubevirt-hyperconverged -n openshift-cnv -ojson |jq -C '.spec.certificateRotateStrategy.selfSigned'
{
"ca":

{ "duration": "11m0s", "renewBefore": "10m0s" }

,
"server":

{ "duration": "11m0s", "renewBefore": "10m0s" }

}

$ oc get secrets -n openshift-cnv ssp-operator-service-cert -ojson | jq -r '.data["tls.crt"]' | base64 -d | openssl x509 -dates -noout
notBefore=Oct 25 10:10:02 2021 GMT
notAfter=Oct 24 10:10:02 2023 GMT