Vault SSH backend

I’m using vault to implement a SSH CA in our company. I built a tool to automate most of the tasks in getting the public key of the user signed. I ran into a issue where as soon as the cert is signed the user can’t SSH into the server, since the certificate it valid from a few seconds ahead. Idk if anyone else faced this issue. But I want to handle this grace full, any suggestion? Golang SSH doesn’t seem to have any method to parse the time and get the time it’s vaild from.

could sound like a silly question but, do all the machines have ntpd/chrony enabled and working correctly?

thanks @shantanugadgil my instances couldn’t connect to internet. so, i guess they couldn’t sync time proprly.