From a923c8f37c35a14d0930a21b1a33ead2d0c25ad4 Mon Sep 17 00:00:00 2001
From: Jeff Mitchell <jeffrey.mitchell@gmail.com>
Date: Mon, 8 Oct 2018 17:00:03 -0400
Subject: [PATCH] Re-add default NotBefore duration in PKI

Fixes #5481
---
 builtin/logical/pki/cert_util.go | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/builtin/logical/pki/cert_util.go b/builtin/logical/pki/cert_util.go
index 7426a40db154..f45c766fb21b 100644
--- a/builtin/logical/pki/cert_util.go
+++ b/builtin/logical/pki/cert_util.go
@@ -1178,6 +1178,7 @@ func createCertificate(data *dataBundle) (*certutil.ParsedCertBundle, error) {
 
 	certTemplate := &x509.Certificate{
 		SerialNumber:   serialNumber,
+		NotBefore:      time.Now().Add(-30 * time.Second),
 		NotAfter:       data.params.NotAfter,
 		IsCA:           false,
 		SubjectKeyId:   subjKeyID,
@@ -1380,6 +1381,7 @@ func signCertificate(data *dataBundle) (*certutil.ParsedCertBundle, error) {
 	certTemplate := &x509.Certificate{
 		SerialNumber:   serialNumber,
 		Subject:        data.params.Subject,
+		NotBefore:      time.Now().Add(-30 * time.Second),
 		NotAfter:       data.params.NotAfter,
 		SubjectKeyId:   subjKeyID[:],
 		AuthorityKeyId: caCert.SubjectKeyId,