Hi @Andre Dupre Kuiper ,
Thanks for reaching out.
This is expected behavior. When you have an existing certificate that is already expired and you generate a new certificate, the new certificate will be considered for signing tokens, even though you haven't activated it yet.
Although in this case, users may experience application outage.
If you intend to keep certificate expiry validation disabled and want to utilize the expired certificate, then the new certificate shouldn't be created.
Hope this will help.
Please remember to "Accept Answer" if answer helped you.