Thanks all for the on and off-list replies. For more detail, these are being installed at customer sites so they can phone home and build an SSTP tunnel so I can remote admin the other kit at site. Given I'm going to need internet access for these to be able to phone home, it's probably reasonable to assume NTP will work if I can access the internet - it'd be a real corner case for these nodes to be able to phone home but not reach an NTP server.

tl;dr NTP is the way to go

On 3 June 2014 12:02, Sam Russell <sam.h.russell@gmail.com> wrote:

Hi all,

I'm playing with mikrotiks for VPNs, and one of the "features" is that the RB750's we have don't hold time when they reboot. I'm planning to build them with NTP access (so if they can get internet then they can get time), but I'm also tempted to generate certs backdated to 1970 instead.

Is anyone else doing this? How do you get mikrotiks to validate certs if the clock keeps resetting on power off - is relying on NTP the answer?

Cheers
Sam