[lug] Understanding a SSL/TLS Certificate Issue

David Stearns stearns at dhyw.com
Fri Jun 19 10:53:02 MDT 2020


I used to regularly run across systems where ntp wasn't running, and
someone had set the month/day/hour/minute by hand (if they set it at all),
but the year was sitting at what ever the bios reset to, so sometimes you'd
have a system that looked fine at first glance but was actually off by over
a decade.

-DS

On Fri, Jun 19, 2020 at 10:26 AM Bear Giles <bgiles at coyotesong.com> wrote:

> I was a bit confused by that. I use Kerberos and it's important to keep
> the clocks synced with ntp. They don't have to be synced to within a
> fraction of a second but tickets might only be valid for 5 minutes and
> pre-ntp drifts that large or larger were common.
>
> Server certs are usually valid for several months. I think LetsEncrypt
> defaults to 3 months now, although you can request a shorter lifespan if
> desired. It's hard to imagine a system clock being off by months. CA
> working certs are valid for longer periods and should be rotated. E.g.,
> they might be valid for 12 months with a new cert created on 01/01 and
> 07/01. Requests are always signed with the latest cert. That means that
> existing certs will always be backed by a valid cert plus a little more
> time for client software that's a bit more flexible in enforcing validity
> checks.
>
> Bear
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: irc.hackingsociety.org port=6667 channel=#hackingsociety
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lug.boulder.co.us/pipermail/lug/attachments/20200619/a605e99b/attachment.html>


More information about the LUG mailing list