Stephane lasagni wrote:
Hello,
I tried the NTP autokey protocol (TC scheme at first, then with IFF parameters
- Schnorr algorithm since it is the scheme that is the most documented). I
managed to get both schemes to work ok however I have noticed one problem: my
product is a NTP client and self-generate its auto-signed non-trusted
certificate as described in the protocol (using the ntp-keygen -H command).
However when my product starts, it always start with a default date which is in
2015! Because the self-signed certificat is only valid for 1 year, it is
expired immediately after its generation! I need to be synchronized before I
generate the certificate...but then I need the certificate before to be able to
synchronise!
I found a workaround but I don't think it is a very "clean" solution: I use the option "-l"
of ntp-keygen to specify the certificate life time duration and I put a big duration value (like 40 years) just
to make sure the generated certificate is valid at power up. I can then make sure that I renew the certificate
every month or so (but everytime with a 40 years duration => I've set up a cronjob to launch a script to
generate the certificate at power-up and then every month but this script is "fixed" so each time it
is launched the new generated certificate has a 40 years duration...
I am thinking there must be a better way to deal with that! I'm probably not
the only one to have this time of problem! :)
How can this type of problem be dealt with? Is there a better solution?
thank you very much for your help!
Best regards
Stéphane
PS: I am planning to also test the "private certificate" to try to understand
how it works (I have sent a question about this scheme recently)
_______________________________________________
questions mailing list
questions@lists.ntp.org
http://lists.ntp.org/listinfo/questions
Stephane,
As alternative, you can use the symmetric key scheme. This does not
require Autokey.
The original intent of the keygen program with no argument was to
generate a certificate using the current time of the operating system.
Therefore, once you generate a proper certificate, the old certificate
lifetime is updated.
Dave
_______________________________________________
questions mailing list
questions@lists.ntp.org
http://lists.ntp.org/listinfo/questions