I've got to generate a CSR for an SSL certificate and one of the first steps is to make sure the time is set properly on the device generating the CSR! The time on our current ASA is skewed.. this caused me to look at several other devices we own globaly and ALL of them are on different times.
What is the best practice way to set time in a global environment (that uses technologies like IPSEC site-to-site VPN and SSLVPN)?
When making changes to a global environment, what things need to be checked / considered when making changes to time on several devices?
I would've just changed the time on the ASA to the right time manually but the fact that the SSL certs based some sort of check off of time made me take a step back. Thanks in advance for any reassurance or suggestions on how to address the configuration of time in our environment as a whole.
Solved! Go to Solution.
I am glad that you found our suggestions to be helpful. Thank you for using the rating system to mark the question as answered. It makes the forum more useful when participants can read a question and can know that helpful answers were received. Your marking has contributed to this process.
I second Rick's suggestion and call for a vote.
NTP is the way to go.
I've heard varying opinions on whether to use the local timezone or UTC (GMT) but most things you care about include the UTC offset with their timestamps so, for me, using local time makes the cli output more usable from a human perspective.
If your organization has multiple devices in multiple time zones then a choice needs to be made about whether to use local time at each site, or to have a common time zone for all sites. There is not a clear answer to this question and it will depend on some aspects of your organization.
If each site actively manages their own devices and there is minimal management from a central site, then the choice pretty clearly would be to use local time. If most of the management is done from a central site and there is minimal management at the local site, then the choice pretty clearly is for a common time zone. If management is shared between local administrators and the central site then the choice is not clear, but I would probably suggest a common time zone.
Thanks so much for the feedback, I feel confident about how to re-organize the times on all of our devices.
The last part of my question was:
What things do you need to consider/check for that are affected by time?? In my first example - we've got SSLVPN certs and I know time is a factor with them.. Want to make sure I've covered all of my bases before I go in and change the time across the board!
Thanks in advance for all of your experience and insight, it's greatly appreciated!
Just be aware that there are two "kinds" of NTP solutions. One is called a baby- or lite-NTP. It's called this because, by itself, the appliance needs to go out to the internet to get NTP synchronization.
Another one, more expenseive, is a "stand-alone" NTP server. The only thing this appliance needs is a place to stick the GPS antenna. This solution is probably the best solution.