none
time difference between CA system time and certificate issued

    Question

  • Hi

    I am currently using Windows 2008 R2 certificate services. The CA server is integrated with nCipher HSM.

    I found the certificates issued had their validity start time 11 minutes behind the CA server system time. I checked with the HSM vendor and they mentioned that HSM does not time stamp for crypto services (ie., signing). Also, the HSM date and time are correct.

    I am lost where is the issue.

    Could anyone please suggest me where to investigate ?

    Thanks & Regards

    Sanurajan.

    Wednesday, July 03, 2013 1:09 AM

Answers

  • Everything is working as designed. There is a registry value ClockSkeyMinutes that is set to 10 minutes by default (yours might be set to 11 for some reason), that defines the beginning of the validity period to be ten minutes prior to the current time. This ensures that when a certificate is issued, it can be used immediately, even if the client/server is out of sync for time with the time source that the CA uses.  By default, if I remember correctly, Kerberos allows for a maximum time different of 8 - 10 minutes before it thinks that a logon attempt is a replay attack.

    The 10 minute difference in the validity period of the certificate allows the certificate to be used, even if the time on the client is up to 11 minutes behind (in your case).

    HTH,

    Brian

    • Proposed as answer by Vadims PodansMVP Wednesday, July 03, 2013 9:46 AM
    • Marked as answer by Ted Xie Monday, July 08, 2013 6:46 AM
    Wednesday, July 03, 2013 2:25 AM

All replies

  • Everything is working as designed. There is a registry value ClockSkeyMinutes that is set to 10 minutes by default (yours might be set to 11 for some reason), that defines the beginning of the validity period to be ten minutes prior to the current time. This ensures that when a certificate is issued, it can be used immediately, even if the client/server is out of sync for time with the time source that the CA uses.  By default, if I remember correctly, Kerberos allows for a maximum time different of 8 - 10 minutes before it thinks that a logon attempt is a replay attack.

    The 10 minute difference in the validity period of the certificate allows the certificate to be used, even if the time on the client is up to 11 minutes behind (in your case).

    HTH,

    Brian

    • Proposed as answer by Vadims PodansMVP Wednesday, July 03, 2013 9:46 AM
    • Marked as answer by Ted Xie Monday, July 08, 2013 6:46 AM
    Wednesday, July 03, 2013 2:25 AM
  • Everything is working as designed. There is a registry value ClockSkeyMinutes that is set to 10 minutes by default (yours might be set to 11 for some reason), that defines the beginning of the validity period to be ten minutes prior to the current time. This ensures that when a certificate is issued, it can be used immediately, even if the client/server is out of sync for time with the time source that the CA uses.  By default, if I remember correctly, Kerberos allows for a maximum time different of 8 - 10 minutes before it thinks that a logon attempt is a replay attack.

    The 10 minute difference in the validity period of the certificate allows the certificate to be used, even if the time on the client is up to 11 minutes behind (in your case).

    HTH,

    Brian


    Kerberos alllows 5 minutes (by default) difference between client and KDC clocks.

    My weblog: http://en-us.sysadmins.lv
    PowerShell PKI Module: http://pspki.codeplex.com
    Check out new: PowerShell FCIV tool.

    Wednesday, July 03, 2013 9:47 AM
  • Thanks Brian & Vadims. If Kerberos accepts upto 5 minutes time difference than how will the certificates issued with 10 minutes be accepted? Sanurajan.
    Wednesday, July 03, 2013 9:02 PM
  • Thanks Brian & Vadims. If Kerberos accepts upto 5 minutes time difference than how will the certificates issued with 10 minutes be accepted? Sanurajan.

    You are thinking in a wrong way. CA just sets certificate validity start period for 10 minutes prior the current time. This will guarantee that the certificate can be used immediately after it is signed. Consider the following scenario: CA server time is 10:10 and KDC time is 10:05 and service's time (to which certificate could be presented) is 10:00. Kerberos accepts up to 5 minutes difference in both directions. Combining 5 minutes in both directions we get 10 minutes overall. This is why CA sets 10 minutes prior CA's clock time. Does it now make a sense?

    BTW, certificate is accepted in all cases if it's validity starts sooner and ends later than any server's clock in the subject.


    My weblog: http://en-us.sysadmins.lv
    PowerShell PKI Module: http://pspki.codeplex.com
    Check out new: PowerShell FCIV tool.


    Thursday, July 04, 2013 5:58 AM