Do you backdate LE certificates? If so, for how much earlier than the actual issued date?
Do you issue all your certs with proper UTC time for the issued-on and expiry dates?
If we had a certificate issued by you in one country, would we face any problems or any client and browser errors when deploying it immediately in another country across the globe? i.e. time zone considerations.
In general, please share any best practices / guidelines about SSL certificates with respect to time and time zone. We’re asking in the context of the 3 parties involved – CAs, servers, and user agents – each party could be having correct / incorrect time or could be in different time zones.
Certificates are backdated by one hour to allow for clock skew. All certificates use UTC time, the time zone is stored as part of the date in the certificate.
User agents in other timezones are fine as long as their time zone and clocks is configured correctly. Some browsers (like Chrome) have started to detect these misconfigurations and tell users to fix their clocks if that’s causing a site to show a SSL warning.
There’s probably a very small percentage of users browsing with mis-configured timezones out there (I haven’t seen any number on this specific problem). If you want to avoid those users seeing warnings, you could theoretically renew your certificate on Day N, but only start using it on Day N+1 - that should account for most timezone misconfigurations. However, I suspect the number of users affected by this is so small that it wouldn’t be worth the trouble - the one-hour backdating should take care of the most common clock skew issues.