Where does ca expiry date comes from?

The puppetca view in foreman shows that my ca will expire in 4 days.

Expected outcome:
openssl x509 -in /etc/puppetlabs/puppet/ssl/ca/ca_crt.pem -text -noout |grep “Not After”
Not After : Aug 12 13:51:03 2029 GMT

I expect it to display “in 9 Years”

Foreman and Proxy versions:
Just updated everything to 1.24.3

Distribution and version:
Debian buster for foreman
Debian stretch for smart proxy

Where does the displayed information come from?

It doesn’t really look at the CA because the Puppet CA doesn’t expose that info - it just gives you a list of certificates and expiration times. Foreman guesses the oldest certificate is the CA. As you can see, this is a flawed assumption.

Thanks for your fast reply and explanation. We had to renew our ca cert last year, so there are many many older certs lingering around now.

Bonus: I just found it in the code:

Yep, that’s exactly it. AFAIK on the Foreman side it’s only used in the UI as a visual hint to the admin so it hasn’t been a priority to improve.