Windows 2019 Certificate Authority is adding 10 minutes to my Certificate Expiration Date

Chris Krikorian 21 Reputation points
2020-09-23T04:23:18.01+00:00

Here's one for the ages. I built a new subCA from a base Server 2019 build. I have done this several times in the past. I issued it a 10year cert from the RootCA. So far everything is good. I configured certificates to be valid for two years. Now when we request certificates using the default IPSec (Offline request) template it issues certificates for 2yrs and 10 minutes. It's driving me nuts. I currently have a case open with Microsoft and they have no idea what it is.

Anyone that can help me figure this out? I've hit a wall. I have exhausted all my avenues and apparently Microsoft's...

Thanks,

Chris

Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,307 questions
No comments
{count} votes

Accepted answer
  1. Vadims Podāns 8,081 Reputation points MVP
    2020-09-23T07:21:52.047+00:00

    It is a clock skew. CA adds it to all signed stuff, such as certificates and CRLs to allow clocks between enrollment client and CA server to be out of sync for a bit: +/- 5mins. 5 mins is not a random value, it is derived from Kerberos threshold. The behavior you are observing is expected, correct and by design. You should not do anything with it.


1 additional answer

Sort by: Most helpful
  1. Chris Krikorian 21 Reputation points
    2020-09-23T04:32:33.653+00:00

    26763-certificates-issued.jpg

    10 minutes added mysteriously ¯_(ツ)_/¯