decrypt secrets encrypted with custom TLS certificate of expired validity

[antonmatsiuk]

I have a confusing regarding Bring your own certificate process.

We have our certificate/key pair generated with openssl which validity expires soon. There are a bunch of secrets encrypted with this certificate in several clusters. We want to rotate the cert/key pair but reencryption of the old secrets with the new certificate will take time. Two questions regarding this process:

1. Will sealed-secrets controller still be able to decrypt the secrets encrypted with the old certificate after the certificate expiration? Or will it throw the error since the certificate is expired?
2. How to add the new TLS key/pair while still keeping the old key/pair in the controller to decrypt the old secrets? We use secretName parameter to reference the key and it's not possible to reference a list of keys with this parameter.