[ntp:questions] Autokey Certificate Update

Steve throindarts at yahoo.com
Thu Jan 3 16:19:13 UTC 2008

The advice on the Autokey configuration page,
is to update the server and client key/certificate monthly since the
cert is only good for 1 year. When I run the cert update commands
provided on the link above, a new cert and link is generated and
Autokey NTP continues to run fine. However, it does not appear that
NTP actually uses the new cert until it is restarted. I determined
this by examining the output of the ntpq -c "rv 0 cert" command also
provided in the link above.

I want to know if the new cert is used only after a restart because
otherwise we might think the certs are being updated only to find NTP
Autokey broken 1 year later when the cert in use expires. So is the
real procedure to update the cert then restart NTP on a periodic
basis? Any way to tell NTP to pickup the new cert without restarting
the daemon?

In a separate (hopefully) issue, I only can get Autokey to work when
the password I use in ntp.conf and the ntp-keygen commands are
identical for the client and server; however the link above implies
there are (or can be) 2 distinct password, namely the clientpassword
and serverpassword.

I am using IFF and use ntp-keygen -T -I -p serverpassword on the
server and use
ntp-keygen -H -p clientpassword on the client.

I ftp the IFF parameters file from the server to the client and
install it as indicated in the link above. I suspect my issue might be
with the following statement from the link:
"You must export an IFF Group Key for each client using that client's
password. " I am not sure what is meant by this and did not do this
step...I just ftped the IFF file to the client.

I really appreciate the help...and sorry for the double question.


More information about the questions mailing list