while looking at an issued certificate at crt.sh i came across a query
https://crt.sh/?id=1919739664
above is a precertificate for some domains it has parameters like.
Validity
Not Before: Sep 24 06:05:56 2019 GMT
Not After : Dec 23 06:05:56 2019 GMT
This means certificate was signed and usable after this timestamp Sep 24 06:05:56 2019 GMT
now on looking at its CT precertificate data below
CT Precertificate SCTs:
Signed Certificate Timestamp:
Version : v1(0)
Log Name : DigiCert Yeti 2019
Log ID : E2:69:4B:AE:26:E8:E9:40:09:E8:86:1B:B6:3B:83:D4:
3E:E7:FE:74:88:FB:A4:8F:28:93:01:9D:DD:F1:DB:FE
Timestamp : Sep 24 07:05:56.809 2019 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:44:02:20:5F:E1:4D:66:DD:9E:63:B5:70:CB:8B:5D:
38:4F:B3:3F:17:03:0F:45:44:7B:60:1F:AE:FD:D3:42:
28:20:57:AB:02:20:13:9B:A0:6F:85:94:C6:9B:63:15:
0F:32:7C:BA:D4:7B:CA:D0:07:7F:B2:F6:41:0D:23:A3:
E1:19:49:2B:52:90
Signed Certificate Timestamp:
Version : v1(0)
Log Name : Google Argon 2019
Log ID : 63:F2:DB:CD:E8:3B:CC:2C:CF:0B:72:84:27:57:6B:33:
A4:8D:61:77:8F:BD:75:A6:38:B1:C7:68:54:4B:D8:8D
Timestamp : Sep 24 07:05:56.841 2019 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:44:02:20:2C:ED:7F:2C:FD:0A:1C:7A:D4:4A:02:E9:
FE:76:C5:1D:D7:B9:78:6D:CB:35:50:18:55:56:6F:5E:
BA:94:04:20:02:20:56:32:3D:55:94:0E:A1:03:BE:A7:
5E:D5:2E:B3:12:C9:07:AF:22:DD:F1:BF:95:EA:0E:D1:
81:EE:50:DE:C8:39
it seems from the above data that signed certificate time stamp in precertificate is Sep 24 07:05:56.841 2019 GMT
The certificate authority (CA) submits a precertificate to the log, and the log returns an SCT. The CA then attaches the SCT to the precertificate as an X.509v3 extension, signs the certificate, and delivers the certificate to the server operator.
how come SCT is one hour later then the certificate validity start time ?