Passivate imported keys if the associate certificate is expired

Closes #34973

Signed-off-by: rmartinc <rmartinc@redhat.com>

docs/documentation/upgrading/topics/changes/changes-26_1_0.adoc

@@ -78,3 +78,9 @@ Previously, the three mappers (`Client Id`, `Client Host` and `Client IP Address
 
 In this release, admin events might hold additional details about the context when the event is fired. When upgrading you should
 expect the database schema being updated to add a new column `DETAILS_JSON` to the `ADMIN_EVENT_ENTITY` table.
+
+= Imported key providers check and passivate keys with a expired cetificate
+
+The key providers that allow to import externally generated keys (`rsa` and `java-keystore` factories) now check the validity of the associated certificate if present. Therefore a key with a certificate that is expired cannot be imported in {project_name} anymore. If the certificate expires at runtime, the key is converted into a passive key (enabled but not active). A passive key is not used for new tokens, but it is still valid for validating previous issued tokens.
+
+The default `generated` key providers generate a certificate valid for 10 years (the types that have or can have an associated certificate). Because of the long validity and the recommendation to rotate keys frequently, the generated providers do not perform this check.