If you ever find yourself needing to get the expiration date of a certificate used to create a provisioning profile, this snippet does exactly that.
/usr/libexec/PlistBuddy -c 'Print DeveloperCertificates:0' /dev/stdin <<< $(security cms -D -i /path/to/prov_profile.mobileprovision) | openssl x509 -inform DER -noout -enddate
Resources:
https://www.objc.io/issues/17-security/inside-code-signing/