Forum Discussion
Nimbostratusnewly created client cert triggers error
Our solution enables user to download a new client certificate from CA, in realtime. Once done they have to wait for a while, e.g. half minute, before accessing our web applicatin site. Otherwise, F5 which required mutual ssl, throws an error saying "certificate is not yet valid". My understanding is that CA & F5 may have slight clock difference and therefore the newly created client cert is not technical valid yet.
Is there a way to make F5 more lenient on the certificate's "not before" value, so that the minor clock difference won't shut out the client?
Thanks,
4 Replies
hoolioCirrostratus
Hi Hui,
I'm not sure what options you have for loosening the time check. You might be able to disable it or set the LTM time a bit slow. But the real solution is to make sure both devices are using NTP to sync their clocks. How could a CA not being using NTP??
Aaron
hui_37443Is there a way to disable "not before" check on F5? Playing around clock doesn't sound attractive as I can't foresee the impact.
What_Lies_Bene1I wouldn't have thought so and there would obviously be security implications too. I'd suggest it would be better to discuss the time issue with your CA.- Arie
Altostratus
It would be highly unlikely for a CA to not have the correct time. Is the LTM-clock right? I've seen LTMs failing to contact the NTP-server (e.g. LTM mis-configuration, firewall rule).
