diff --git a/authority/config.go b/authority/config.go
index 462a764b..812a1db4 100644
--- a/authority/config.go
+++ b/authority/config.go
@@ -7,11 +7,10 @@ import (
 	"os"
 	"time"
 
-	"github.com/smallstep/certificates/templates"
-
 	"github.com/pkg/errors"
 	"github.com/smallstep/certificates/authority/provisioner"
 	"github.com/smallstep/certificates/db"
+	"github.com/smallstep/certificates/templates"
 	"github.com/smallstep/cli/crypto/tlsutil"
 	"github.com/smallstep/cli/crypto/x509util"
 )
diff --git a/ca/identity.go b/ca/identity.go
index a63ae671..d7ad7042 100644
--- a/ca/identity.go
+++ b/ca/identity.go
@@ -32,6 +32,9 @@ const Disabled IdentityType = ""
 // MutualTLS represents the identity using mTLS
 const MutualTLS IdentityType = "mTLS"
 
+// DefaultLeeway is the duration for matching not before claims.
+const DefaultLeeway = 1 * time.Minute
+
 // IdentityFile contains the location of the identity file.
 var IdentityFile = filepath.Join(config.StepPath(), "config", "identity.json")
 
@@ -179,8 +182,8 @@ func (i *Identity) Options() ([]ClientOption, error) {
 		if err != nil {
 			return nil, errors.Wrap(err, "error creating identity certificate")
 		}
-		now := time.Now()
-		if now.Before(x509Cert.NotBefore) || now.After(x509Cert.NotAfter) {
+		now := time.Now().Truncate(time.Second)
+		if now.Add(DefaultLeeway).Before(x509Cert.NotBefore) || now.After(x509Cert.NotAfter) {
 			return nil, nil
 		}
 		return []ClientOption{WithCertificate(crt)}, nil