diff --git a/src/crypto/ocsp.c b/src/crypto/ocsp.c
index f5d03dc6..ab75dea3 100644
--- a/src/crypto/ocsp.c
+++ b/src/crypto/ocsp.c
@@ -794,12 +794,12 @@ int ocsp_validate ( struct ocsp_check *ocsp, time_t time ) {
 	/* Check OCSP response is valid at the specified time
 	 * (allowing for some margin of error).
 	 */
-	if ( response->this_update > ( time + OCSP_ERROR_MARGIN_TIME ) ) {
+	if ( response->this_update > ( time + X509_ERROR_MARGIN_TIME ) ) {
 		DBGC ( ocsp, "OCSP %p \"%s\" response is not yet valid (at "
 		       "time %lld)\n", ocsp, ocsp->cert->subject.name, time );
 		return -EACCES_STALE;
 	}
-	if ( response->next_update < ( time - OCSP_ERROR_MARGIN_TIME ) ) {
+	if ( response->next_update < ( time - X509_ERROR_MARGIN_TIME ) ) {
 		DBGC ( ocsp, "OCSP %p \"%s\" response is stale (at time "
 		       "%lld)\n", ocsp, ocsp->cert->subject.name, time );
 		return -EACCES_STALE;
diff --git a/src/crypto/x509.c b/src/crypto/x509.c
index 1a27eb24..a99f6ab9 100644
--- a/src/crypto/x509.c
+++ b/src/crypto/x509.c
@@ -1264,12 +1264,12 @@ int x509_check_time ( struct x509_certificate *cert, time_t time ) {
 	struct x509_validity *validity = &cert->validity;
 
 	/* Check validity period */
-	if ( time < validity->not_before.time ) {
+	if ( validity->not_before.time > ( time + X509_ERROR_MARGIN_TIME ) ) {
 		DBGC ( cert, "X509 %p \"%s\" is not yet valid (at time %lld)\n",
 		       cert, cert->subject.name, time );
 		return -EACCES_EXPIRED;
 	}
-	if ( time > validity->not_after.time ) {
+	if ( validity->not_after.time < ( time - X509_ERROR_MARGIN_TIME ) ) {
 		DBGC ( cert, "X509 %p \"%s\" has expired (at time %lld)\n",
 		       cert, cert->subject.name, time );
 		return -EACCES_EXPIRED;
diff --git a/src/include/ipxe/ocsp.h b/src/include/ipxe/ocsp.h
index 2521681c..fe825fd0 100644
--- a/src/include/ipxe/ocsp.h
+++ b/src/include/ipxe/ocsp.h
@@ -28,14 +28,6 @@ FILE_LICENCE ( GPL2_OR_LATER );
 #define OCSP_STATUS_SIG_REQUIRED	0x05
 #define OCSP_STATUS_UNAUTHORIZED	0x06
 
-/** Margin of error allowed in OCSP response times
- *
- * We allow a generous margin of error: 12 hours to allow for the
- * local time zone being non-GMT, plus 30 minutes to allow for general
- * clock drift.
- */
-#define OCSP_ERROR_MARGIN_TIME ( ( 12 * 60 + 30 ) * 60 )
-
 /** An OCSP request */
 struct ocsp_request {
 	/** Request builder */
diff --git a/src/include/ipxe/x509.h b/src/include/ipxe/x509.h
index a5626c8a..a47942a7 100644
--- a/src/include/ipxe/x509.h
+++ b/src/include/ipxe/x509.h
@@ -42,6 +42,14 @@ struct x509_validity {
 	struct x509_time not_after;
 };
 
+/** Margin of error allowed in X.509 response times
+ *
+ * We allow a generous margin of error: 12 hours to allow for the
+ * local time zone being non-GMT, plus 30 minutes to allow for general
+ * clock drift.
+ */
+#define X509_ERROR_MARGIN_TIME ( ( 12 * 60 + 30 ) * 60 )
+
 /** An X.509 certificate public key */
 struct x509_public_key {
 	/** Raw public key information */