[lug] Understanding a SSL/TLS Certificate Issue
Bear Giles
bgiles at coyotesong.com
Fri Jun 19 10:25:38 MDT 2020
I was a bit confused by that. I use Kerberos and it's important to keep the
clocks synced with ntp. They don't have to be synced to within a fraction
of a second but tickets might only be valid for 5 minutes and pre-ntp
drifts that large or larger were common.
Server certs are usually valid for several months. I think LetsEncrypt
defaults to 3 months now, although you can request a shorter lifespan if
desired. It's hard to imagine a system clock being off by months. CA
working certs are valid for longer periods and should be rotated. E.g.,
they might be valid for 12 months with a new cert created on 01/01 and
07/01. Requests are always signed with the latest cert. That means that
existing certs will always be backed by a valid cert plus a little more
time for client software that's a bit more flexible in enforcing validity
checks.
Bear
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lug.boulder.co.us/pipermail/lug/attachments/20200619/43090f92/attachment.html>
More information about the LUG
mailing list