[ntp:questions] NTP autokey: self-signed certificate expiration problem

Stephane lasagni stephanelasagni at hotmail.com
Fri Dec 22 13:17:17 UTC 2017


I tried the NTP autokey protocol (TC scheme at first, then with IFF parameters - Schnorr algorithm since it is the scheme that is the most documented). I managed to get both schemes to work ok however I have noticed one problem: my product is a NTP client and self-generate its auto-signed non-trusted certificate as described in the protocol (using the ntp-keygen -H command). However when my product starts, it always start with a default date which is in 2015! Because the self-signed certificat is only valid for 1 year, it is expired immediately after its generation! I need to be synchronized before I generate the certificate...but then I need the certificate before to be able to synchronise!

I found a workaround but I don't think it is a very "clean" solution: I use the option "-l" of ntp-keygen to specify the certificate life time duration and I put a big duration value (like 40 years) just to make sure the generated certificate is valid at power up. I can then make sure that I renew the certificate every month or so (but everytime with a 40 years duration => I've set up a cronjob to launch a script to generate the certificate at power-up and then every month but this script is "fixed" so each time it is launched the new generated certificate has a 40 years duration...

I am thinking there must be a better way to deal with that! I'm probably not the only one to have this time of problem! :)

How can this type of problem be dealt with? Is there a better solution?

thank you very much for your help!

Best regards


PS: I am planning to also test the "private certificate" to try to understand how it works (I have sent a question about this scheme recently)

More information about the questions mailing list