diff --git a/builtin/logical/pki/backend_test.go b/builtin/logical/pki/backend_test.go
index 2f9587153a2f..50af5b80fe63 100644
--- a/builtin/logical/pki/backend_test.go
+++ b/builtin/logical/pki/backend_test.go
@@ -299,9 +299,13 @@ func checkCertsAndPrivateKey(keyType string, key crypto.Signer, usage certUsage,
 		}
 	}
 
-	if math.Abs(float64(time.Now().Unix()-cert.NotBefore.Unix())) > 10 {
+	// 40 seconds since we add 30 second slack for clock skew
+	if math.Abs(float64(time.Now().Unix()-cert.NotBefore.Unix())) > 40 {
 		return nil, fmt.Errorf("Validity period starts out of range")
 	}
+	if !cert.NotBefore.Before(time.Now().Add(-10 * time.Second)) {
+		return nil, fmt.Errorf("Validity period not far enough in the past")
+	}
 
 	if math.Abs(float64(time.Now().Add(validity).Unix()-cert.NotAfter.Unix())) > 10 {
 		return nil, fmt.Errorf("Validity period of %d too large vs max of 10", cert.NotAfter.Unix())
diff --git a/builtin/logical/pki/cert_util.go b/builtin/logical/pki/cert_util.go
index 9d002669ee4d..710e16673fd6 100644
--- a/builtin/logical/pki/cert_util.go
+++ b/builtin/logical/pki/cert_util.go
@@ -717,7 +717,7 @@ func createCertificate(creationInfo *creationBundle) (*certutil.ParsedCertBundle
 	certTemplate := &x509.Certificate{
 		SerialNumber:   serialNumber,
 		Subject:        subject,
-		NotBefore:      time.Now(),
+		NotBefore:      time.Now().Add(-30 * time.Second),
 		NotAfter:       time.Now().Add(creationInfo.TTL),
 		IsCA:           false,
 		SubjectKeyId:   subjKeyID,
@@ -873,7 +873,7 @@ func signCertificate(creationInfo *creationBundle,
 	certTemplate := &x509.Certificate{
 		SerialNumber: serialNumber,
 		Subject:      subject,
-		NotBefore:    time.Now(),
+		NotBefore:    time.Now().Add(-30 * time.Second),
 		NotAfter:     time.Now().Add(creationInfo.TTL),
 		SubjectKeyId: subjKeyID[:],
 	}