Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

newly created client cert triggers error

Our solution enables user to download a new client certificate from CA, in realtime. Once done they have to wait for a while, e.g. half minute, before accessing our web applicatin site. Otherwise, F5 which required mutual ssl, throws an error saying "certificate is not yet valid". My understanding is that CA & F5 may have slight clock difference and therefore the newly created client cert is not technical valid yet.

Is there a way to make F5 more lenient on the certificate's "not before" value, so that the minor clock difference won't shut out the client?

Thanks, 

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
Hi Hui,

I'm not sure what options you have for loosening the time check. You might be able to disable it or set the LTM time a bit slow. But the real solution is to make sure both devices are using NTP to sync their clocks. How could a CA not being using NTP??

Aaron
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Is there a way to disable "not before" check on F5? Playing around clock doesn't sound attractive as I can't foresee the impact.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
I wouldn't have thought so and there would obviously be security implications too. I'd suggest it would be better to discuss the time issue with your CA.
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

It would be highly unlikely for a CA to not have the correct time. Is the LTM-clock right? I've seen LTMs failing to contact the NTP-server (e.g. LTM mis-configuration, firewall rule).

0