Feature Request: Add support to set future date as notBefore when requesting for certificate

[jaingeet]

Is your feature request related to a problem? Please describe.

We want to issue a certificate with NotBefore set as some future time.

Describe the solution you'd like

Instead of using time.Now() here - https://github.com/cert-manager/cert-manager/blob/master/pkg/util/pki/certificatetemplate.go#L58, can you add support to set this as custom value?

/kind feature

[Jiawei0227]

+1 this is an important feature we also want.

[inteon]

Feel free to create a PR to add this feature.

[jaingeet]

What is the best way to do this? I can think of two possible solution -

1. Adding them as optional fields in Certificate and CertificateRequest apis -
   We can add two optional fields, such as NotBefore and NotAfter along with Duration field and add some validation to make sure either Duration or NotAfter is set. If NotAfter field is set and NotBefore is empty, we can continue to use time.Now() in that case as well.

2. Providing these through Annotations
   We can use annotations in both Certificate and CertificateRequest apis, to provide this information.

[jaingeet]

@inteon - do you have any suggestion on previous comment?

[inteon]

I think a new field would be preferable if we want this feature to be widely supported. The logic itself will have to be implemented by each issuer individually, if we only add support to a very limited set of issuers, an annotation might be preferable. Altering the CertificateRequest API is not a decision to be taken without much thought. So, creating a design document first might be desirable.