Method CertificateValidity.construct() requires that in the DER encoding being parsed, then notBefore and notAfter fields are required to be either both UTCTime or both Generalized time.

The PKIX draft, however, says that times before 2050 should be UTCTime and times after should be Generalized time. Hence certificates whose validity interval straddles 2050 must, according to PKIX, accept a UTCTime value for notBefore and a GeneralizedTime for notAfter.

In any case, it makes sense to accept either kind of time for either field.