The certificate validity was calculated incorrectly when a daylight saving time change occurred in the validity period. Consequently, the "ipa-cacert-manage renew" command failed with a validity error. With this update, the CA Validity Default has been modified to use Calendar API, which calculates the certificate validity range consistently with the Validity
Constraint and Validity Default. As a result, a CA certificate is successfully renewed in this scenario.