keytool does not allow the "warping" of time to be able to adjust the validity dates of certificates to deal with clock skew across distributed systems.
There appear to be no public APIs in J2SE allowing this to be done.
nss's 'certutil' does have this feature, it's possible to "warp the clock" to be able to generate certificates with different start dates.
When deploying a distributed application infrastructure across mutliple nodes such as that commonly used by JES, and when configuring this infrastructure to have mutual trust between different nodes by exchanging and inserting public certificates in each other's trust-stores, if there is clock-skew between the nodes there is a window of time in which the certificate of one node is not seen as valid on the other node, since it's validity period is some time in the future due to clock skew.
keytool could permit self-signed certificate generation to set the start date to, say, one day before, to allow for 24 hours of clock skew.
Additionally, when this problem arises, it is hard to diagnose without specific code in place to check clocks, since a TrustManager will simply throw an exception without any explanation as to the problem of validity periods.
This affects users of all Java versions, we, in particular, use Java 5 and Java 6.