newly created client cert triggers error


Our solution enables user to download a new client certificate from CA, in realtime. Once done they have to wait for a while, e.g. half minute, before accessing our web applicatin site. Otherwise, F5 which required mutual ssl, throws an error saying "certificate is not yet valid". My understanding is that CA & F5 may have slight clock difference and therefore the newly created client cert is not technical valid yet.

Is there a way to make F5 more lenient on the certificate's "not before" value, so that the minor clock difference won't shut out the client?


4 Answer(s):

Hi Hui,

I'm not sure what options you have for loosening the time check. You might be able to disable it or set the LTM time a bit slow. But the real solution is to make sure both devices are using NTP to sync their clocks. How could a CA not being using NTP??


Is there a way to disable "not before" check on F5? Playing around clock doesn't sound attractive as I can't foresee the impact.

I wouldn't have thought so and there would obviously be security implications too. I'd suggest it would be better to discuss the time issue with your CA.

It would be highly unlikely for a CA to not have the correct time. Is the LTM-clock right? I've seen LTMs failing to contact the NTP-server (e.g. LTM mis-configuration, firewall rule).

Your answer: