Re: [ntp:questions] NTP autokey: self-signed certificate expiration problem

Fri, 29 Dec 2017 11:59:44 -0800 

Stephane lasagni wrote:


Hello,


I tried the NTP autokey protocol (TC scheme at first, then with IFF parameters 
- Schnorr algorithm since it is the scheme that is the most documented). I 
managed to get both schemes to work ok however I have noticed one problem: my 
product is a NTP client and self-generate its auto-signed non-trusted 
certificate as described in the protocol (using the ntp-keygen -H command). 
However when my product starts, it always start with a default date which is in 
2015! Because the self-signed certificat is only valid for 1 year, it is 
expired immediately after its generation! I need to be synchronized before I 
generate the certificate...but then I need the certificate before to be able to 
synchronise!


I found a workaround but I don't think it is a very "clean" solution: I use the option "-l" 
of ntp-keygen to specify the certificate life time duration and I put a big duration value (like 40 years) just 
to make sure the generated certificate is valid at power up. I can then make sure that I renew the certificate 
every month or so (but everytime with a 40 years duration => I've set up a cronjob to launch a script to 
generate the certificate at power-up and then every month but this script is "fixed" so each time it 
is launched the new generated certificate has a 40 years duration...


I am thinking there must be a better way to deal with that! I'm probably not 
the only one to have this time of problem! :)


How can this type of problem be dealt with? Is there a better solution?


thank you very much for your help!

Best regards

Stéphane


PS: I am planning to also test the "private certificate" to try to understand 
how it works (I have sent a question about this scheme recently)



_______________________________________________
questions mailing list
questions@lists.ntp.org
http://lists.ntp.org/listinfo/questions

Stephane,
As alternative, you can use the symmetric key scheme. This does not require Autokey.
The original intent of the keygen program with no argument was to generate a certificate using the current time of the operating system. Therefore, once you generate a proper certificate, the old certificate lifetime is updated. 

Dave
_______________________________________________
questions mailing list
questions@lists.ntp.org
http://lists.ntp.org/listinfo/questions

Reply via email to