Certificates issued one hour too early?

rgj · November 30, 2021, 8:30am

I just issued a new certificate (using resty_auto_ssl) at 9.22 CET / 8:22 UTC, about 10 minutes ago.
However, the certificate shows an issue timestamp of one hour earlier.

Is this by design? GMT is always UTC+0, right?

openssl x509 -dates says:

depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = (redacted)
verify return:1
notBefore=Nov 30 07:22:31 2021 GMT
notAfter=Feb 28 07:22:30 2022 GMT

_az · November 30, 2021, 9:06am

Yes, certificates are backdated intentionally, to avoid issues with clock skew. (Though it does not solve all clock skew problems e.g. OCSP responses are not backdated.)

system · December 30, 2021, 9:06am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.