On Thu, Jul 23, 2020 at 10:25:40AM -0500, Joseph Reynolds wrote:
> 2. certificate is good but expired or not yet valid - Use the 
> certificate and log a warning.

I suspect that "not yet valid" is a more common case than might be
assumed on the surface.  I agree with the recommended action.

Many of the Facebook server designs do not have a hardware RTC available
to the BMC.  We have an RTC accessible by the BIOS and we also sync with
NTP.  That means there is always a period of time after we first plug in
the rack where the servers in the rack have a date that is way wrong.

It is reasonable to assume the date is just wrong and the certificate is
valid.  The clients can validate a certificate which is actually out of
date.

I'm less settled on using a certificate which is clearly expired, but it
is still likely better than using a newly-generated self-signed
certificate.

-- 
Patrick Williams