You have enabled SSL interception on Edge Secure Web Gateway (Edge SWG) or ProxySG. Looking at the website certificate in the web browser, you have verified that the certificate is issued by the Sub CA on the Edge SWG keyring. However, the validity period for the web site certificate does not match that of the Sub CA certificate. See example below:
Website Certificate Issued:
SSL Keyring certificate used for interception:
This behavior is expected.
The web server certificate (the one you see on the browser) is actually generated by the ProxySG dynamically at runtime emulating the original SSL certificate of the WebServer. Hence the issue date & expiry date of the website certificate will differ from the Sub CA certificate used for interception.