...
You may also notice that the next level down in the chain is CN = USERTrust RSA Certification Authority
which also expires on 2020-05-30, and that is the certificate that has signed the CN = GEANT OV RSA CA 4
certificate that in turn has signed the SSL certificate for your server. That also seems bad, doesn't it? It turns out that certificate is there to support the CN = AddTrust External CA Root "feature" and that there is another version of CN = AddTrust External CA Root
present in the root store of the browsers (using the same key) which is valid until 2038-01-18, and that is the one that matters and makes the browser trust the GEANT-branded CA certificate and therefore your server certificate.
...