consider adding notyet.badssl.com (future notBefore)

[jschauma]

It might be useful to have a test to verify validation of the 'notBefore' date. I don't know how far in the future CAs let you request a cert, so there would eventually be a renewal needed once the future date becomes present/past.

[hgc81538]

I think it is hard to find a CA to issue such cert.

You might change your computer clock to simulate.

[ldemailly]

could be a self signed future cert I suppose, off self-signed.badssl.com for instance (only issue will be remember to not have become current, like the current issue with the other certs having expired)