Windows 2019 Certificate Authority is adding 10 minutes to my Certificate Expiration Date

Chris Krikorian 21 Reputation points

Here's one for the ages. I built a new subCA from a base Server 2019 build. I have done this several times in the past. I issued it a 10year cert from the RootCA. So far everything is good. I configured certificates to be valid for two years. Now when we request certificates using the default IPSec (Offline request) template it issues certificates for 2yrs and 10 minutes. It's driving me nuts. I currently have a case open with Microsoft and they have no idea what it is.

Anyone that can help me figure this out? I've hit a wall. I have exhausted all my avenues and apparently Microsoft's...



Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,684 questions
0 comments No comments
{count} votes

Accepted answer
  1. Vadims Podāns 8,856 Reputation points MVP

    It is a clock skew. CA adds it to all signed stuff, such as certificates and CRLs to allow clocks between enrollment client and CA server to be out of sync for a bit: +/- 5mins. 5 mins is not a random value, it is derived from Kerberos threshold. The behavior you are observing is expected, correct and by design. You should not do anything with it.

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
  1. Chris Krikorian 21 Reputation points


    10 minutes added mysteriously ¯_(ツ)_/¯