Why do RPKI objects have two expiry dates?
Individual objects (like a ROA) on RPKI are signed using a x509 certificate chain. These certificates also have individual expiry dates (this is what is shown on the Expires On section), however the maximum validity of the object is always limited by the nearest to expire certificate in the chain. Ideally the expiry on these objects should not be sooner than a few days.
In addition to that there are also secondary objects that impact the validity of the objects, The most common one are Certificate Revocation Lists (CRLs) for parts of the chain. These are set up to expire far sooner in the future than a certificate would be. This is because their validity controls how long an active attacker could (in practice) present a “clean” CRL list (the one that does not have the revoked certificate). For this reason you can expect this date to be a lot sooner. A expiry time of less than 24 hours is considered acceptable, while a time of less than 5 hours would trigger a bgp.tools monitoring alert.
bgp.tools presents these two different numbers because some RPKI validators are known to ignore CRL lists (a security risk in itself) and so can function with an expired CRL. But also because it shows you how long a RPKI chain could survive with no updates (as the infrastructure and signing keys need to be online to make new CRL files)