Time by time I receive questions about difference between current time on CA server and actual signing time which is included in the NotBefore (Valid From) field in the issued certificates. Most users notice that Valid From field is set 10 minutes prior to current time and attempts to find possible issues with time synchronization.

Don’t worry, it is expected behavior. By default Microsoft CA sets Valid From 10 minutes before current time. To explain this we need to recall time difference allowed in Active Directory domains. As you may know, Key Distribution Center (KDC) allows time difference between KDC time and remote service that utilizes Kerberos up to 5 minutes (by default) in each direction.

And now consider the following scenario: we have three servers: remote service, KDC and CA server. Current time at remote service is 10:00, at KDC 10:05, at CA 10:10. From KDC perspective both, CA and remote service are time-synchronized. It is easy to see that if CA server receives certificate request, the Valid From is set to: 10:10 minus 10 minutes = 10:00. This guarantees that issued certificate can be immediately used for authentication at remote service. Otherwise there could be issues that remote service considers presented certificate as not yet valid.

If you have configured custom time difference between KDC and clients, you should consider to configure your CA accordingly. Clock skew on CA server must be set as a double allowed time difference for Kerberos. The following command can be used to set new clock skew value:

certutil –setreg ca\ClockSkewMinutes 20

where 20 is new clock skew value. As always, you need to restart certificate services to apply changes:

net stop certsvc && net start certsvc