Forum Discussion

hui_37443's avatar
hui_37443
Icon for Nimbostratus rankNimbostratus
Jan 17, 2013

newly created client cert triggers error

Our solution enables user to download a new client certificate from CA, in realtime. Once done they have to wait for a while, e.g. half minute, before accessing our web applicatin site. Otherwise, F5 which required mutual ssl, throws an error saying "certificate is not yet valid". My understanding is that CA & F5 may have slight clock difference and therefore the newly created client cert is not technical valid yet.

 

Is there a way to make F5 more lenient on the certificate's "not before" value, so that the minor clock difference won't shut out the client?

 

Thanks,

 

security

4 Replies

Sort By
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Jan 17, 2013
    Hi Hui,

     

     

    I'm not sure what options you have for loosening the time check. You might be able to disable it or set the LTM time a bit slow. But the real solution is to make sure both devices are using NTP to sync their clocks. How could a CA not being using NTP??

     

     

    Aaron
  • hui_37443's avatar
    hui_37443
    Icon for Nimbostratus rankNimbostratus
    Jan 25, 2013

    Is there a way to disable "not before" check on F5? Playing around clock doesn't sound attractive as I can't foresee the impact.

     

  • What_Lies_Bene1's avatar
    What_Lies_Bene1
    Icon for Cirrostratus rankCirrostratus
    Jan 25, 2013
    I wouldn't have thought so and there would obviously be security implications too. I'd suggest it would be better to discuss the time issue with your CA.
  • Arie's avatar
    Arie
    Icon for Altostratus rankAltostratus
    Feb 01, 2013

    It would be highly unlikely for a CA to not have the correct time. Is the LTM-clock right? I've seen LTMs failing to contact the NTP-server (e.g. LTM mis-configuration, firewall rule).