[ntp:questions] NTP autokey: self-signed certificate expiration problem

David L. Mills mills at udel.edu
Fri Dec 29 19:59:23 UTC 2017


Stephane lasagni wrote:

>Hello,
>
>
>I tried the NTP autokey protocol (TC scheme at first, then with IFF parameters - Schnorr algorithm since it is the scheme that is the most documented). I managed to get both schemes to work ok however I have noticed one problem: my product is a NTP client and self-generate its auto-signed non-trusted certificate as described in the protocol (using the ntp-keygen -H command). However when my product starts, it always start with a default date which is in 2015! Because the self-signed certificat is only valid for 1 year, it is expired immediately after its generation! I need to be synchronized before I generate the certificate...but then I need the certificate before to be able to synchronise!
>
>
>I found a workaround but I don't think it is a very "clean" solution: I use the option "-l" of ntp-keygen to specify the certificate life time duration and I put a big duration value (like 40 years) just to make sure the generated certificate is valid at power up. I can then make sure that I renew the certificate every month or so (but everytime with a 40 years duration => I've set up a cronjob to launch a script to generate the certificate at power-up and then every month but this script is "fixed" so each time it is launched the new generated certificate has a 40 years duration...
>
>
>I am thinking there must be a better way to deal with that! I'm probably not the only one to have this time of problem! :)
>
>
>How can this type of problem be dealt with? Is there a better solution?
>
>
>thank you very much for your help!
>
>Best regards
>
>Stéphane
>
>
>PS: I am planning to also test the "private certificate" to try to understand how it works (I have sent a question about this scheme recently)
>
>
>
>_______________________________________________
>questions mailing list
>questions at lists.ntp.org
>http://lists.ntp.org/listinfo/questions
>  
>
Stephane,

As alternative, you can use the symmetric key scheme.  This does not 
require Autokey.

The original intent of the keygen program with no argument was to 
generate a certificate using the current time of the operating system.  
Therefore, once you generate a proper certificate, the old certificate 
lifetime is updated.

Dave


More information about the questions mailing list