Our solution enables user to download a new client certificate from CA, in realtime. Once done they have to wait for a while, e.g. half minute, before accessing our web applicatin site. Otherwise, F5 which required mutual ssl, throws an error saying "certificate is not yet valid". My understanding is that CA & F5 may have slight clock difference and therefore the newly created client cert is not technical valid yet.
Is there a way to make F5 more lenient on the certificate's "not before" value, so that the minor clock difference won't shut out the client?
Is there a way to disable "not before" check on F5? Playing around clock doesn't sound attractive as I can't foresee the impact.
It would be highly unlikely for a CA to not have the correct time. Is the LTM-clock right? I've seen LTMs failing to contact the NTP-server (e.g. LTM mis-configuration, firewall rule).