Resign modified client cert

These tests modify the not_before & not_after times for the client cert
and verify the cert is rejected because the cert is "not yet valid" and
"expired" respectively.

It just so happened openssl < 3.2, checks the times before checking the
signature. But openssl 3.2, checks the signature first. So regenerate the
signature using the intermediate CA's private key.

Author: joshcooper

spec/unit/ssl/ssl_provider_spec.rb

@@ -391,6 +391,9 @@
 
     it 'raises if cert is not valid yet', unless: Puppet::Util::Platform.jruby? do
       client_cert.not_before = Time.now + (5 * 60 * 60)
+      int_key = key_fixture('intermediate-key.pem')
+      client_cert.sign(int_key, OpenSSL::Digest::SHA256.new)
+
       expect {
         subject.create_context(**config.merge(client_cert: client_cert))
       }.to raise_error(Puppet::SSL::CertVerifyError,
@@ -399,6 +402,9 @@
 
     it 'raises if cert is expired', unless: Puppet::Util::Platform.jruby? do
       client_cert.not_after = Time.at(0)
+      int_key = key_fixture('intermediate-key.pem')
+      client_cert.sign(int_key, OpenSSL::Digest::SHA256.new)
+
       expect {
         subject.create_context(**config.merge(client_cert: client_cert))
       }.to raise_error(Puppet::SSL::CertVerifyError,