Hi Dave, Harlan,
thank you both for your answers (and sorry for my late answer !). in the ntp-keygen manual this point was actually mentioned. I think I'll stick with generating certificates with a long lifetime but renew them regularly. concerning the fact Autokey is no longer considered secure, I am aware of this (both of you mentioned it to me) but I understood there was no replacement yet available today so I'll stick with Autokey while waiting for a better solution, it is still better than nothing! :) thanks again Best regards Stéphane ________________________________ De : David L. Mills <mi...@udel.edu> Envoyé : vendredi 29 décembre 2017 19:59 À : Stephane lasagni Cc : questions@lists.ntp.org Objet : Re: [ntp:questions] NTP autokey: self-signed certificate expiration problem Stephane lasagni wrote: >Hello, > > >I tried the NTP autokey protocol (TC scheme at first, then with IFF parameters >- Schnorr algorithm since it is the scheme that is the most documented). I >managed to get both schemes to work ok however I have noticed one problem: my >product is a NTP client and self-generate its auto-signed non-trusted >certificate as described in the protocol (using the ntp-keygen -H command). >However when my product starts, it always start with a default date which is >in 2015! Because the self-signed certificat is only valid for 1 year, it is >expired immediately after its generation! I need to be synchronized before I >generate the certificate...but then I need the certificate before to be able >to synchronise! > > >I found a workaround but I don't think it is a very "clean" solution: I use >the option "-l" of ntp-keygen to specify the certificate life time duration >and I put a big duration value (like 40 years) just to make sure the generated >certificate is valid at power up. I can then make sure that I renew the >certificate every month or so (but everytime with a 40 years duration => I've >set up a cronjob to launch a script to generate the certificate at power-up >and then every month but this script is "fixed" so each time it is launched >the new generated certificate has a 40 years duration... > > >I am thinking there must be a better way to deal with that! I'm probably not >the only one to have this time of problem! :) > > >How can this type of problem be dealt with? Is there a better solution? > > >thank you very much for your help! > >Best regards > >Stéphane > > >PS: I am planning to also test the "private certificate" to try to understand >how it works (I have sent a question about this scheme recently) > > > >_______________________________________________ >questions mailing list >questions@lists.ntp.org >http://lists.ntp.org/listinfo/questions questions Info Page - Network Time Protocol<http://lists.ntp.org/listinfo/questions> lists.ntp.org This is a mailing list that has been set up for people who are new to NTP to ask questions. It is gatewayed to the USENET newsgroup comp.protocols.time.ntp, and is ... > > Stephane, As alternative, you can use the symmetric key scheme. This does not require Autokey. The original intent of the keygen program with no argument was to generate a certificate using the current time of the operating system. Therefore, once you generate a proper certificate, the old certificate lifetime is updated. Dave _______________________________________________ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
