[ntp:questions] Autokey Certificate Update

Steve Kostecke kostecke at ntp.org
Thu Jan 3 21:17:05 UTC 2008

On 2008-01-03, Steve <throindarts at yahoo.com> wrote:

> The advice on the Autokey configuration page,
> http://support.ntp.org/bin/view/Support/ConfiguringAutokey

I'm the original author of that "page".

It should be noted that this material applies to the current stable
release and does not reflect any Autokey updates in the dev release.

> is to update the server and client key/certificate monthly since the
> cert is only good for 1 year.

The "Error Codes" section of
http://www.cis.udel.edu/~mills/ntp/html/authopt.html states "One of the
most common errors is expired certificates, which must be regenerated
and signed at least once per year using the ntp-keygen program."

The recommendation to update the server certificate on a more frequent
basis (e.g. monthly) can be found in a number of places including the
NTP FAQ at http://www.ntp.org/ntpfaq/NTP-s-config-adv.htm. I know I've
seen it elsewhere.

> When I run the cert update commands provided on the link above, a new
> cert and link is generated and Autokey NTP continues to run fine.
> However, it does not appear that NTP actually uses the new cert until
> it is restarted. I determined this by examining the output of the ntpq
> -c "rv 0 cert" command also provided in the link above.

That's interesting.

> I want to know if the new cert is used only after a restart because
> otherwise we might think the certs are being updated only to find NTP
> Autokey broken 1 year later when the cert in use expires.

It has always been my understanding the ntpd reloads the cert when the
protocol restarts (~ daily).

> So is the real procedure to update the cert then restart NTP on a
> periodic basis?

It may be necessary to add a restart to the certificate update

> Any way to tell NTP to pickup the new cert without restarting the
> daemon?

Not that I'm aware of.

It should be noted that a well tempered ntpd (i.e. iburst on the server
lines, good drift-file, operating in state 4) is available almost
immediately after a "warm restart".

> In a separate (hopefully) issue, I only can get Autokey to work when
> the password I use in ntp.conf and the ntp-keygen commands are
> identical for the client and server; however the link above implies
> there are (or can be) 2 distinct password, namely the clientpassword
> and serverpassword.
> I am using IFF and use ntp-keygen -T -I -p serverpassword on the
> server and use
> ntp-keygen -H -p clientpassword on the client.
> I ftp the IFF parameters file from the server to the client and
> install it as indicated in the link above.

The full text you are refering to is:

| IFF Group Keys
| Obtain the IFF group key, exported in IFF Parameters via a
| secure means (e.g. an SSL Web Form or encrypted e-mail), copy the key
| file to the keysdir, and create the standard sym-link: 

Section explains the IFF Parameter generation process and how
to export the IFF Group Key (or IFF Client Key).

The IFFpar file is supposed to stay on the server (unless you are using
the latest ntp-dev and fall in to a certain category).

> I suspect my issue might be with the following statement from the
> link: "You must export an IFF Group Key for each client using that
> client's password." I am not sure what is meant by this and did not
> do this step...I just ftped the IFF file to the client.

You may not have read to the end of sections Or, if you did,
the example was confusing.


This is how you export the IFF Group Key to the console:

cd <your ntp keys dir>
ntp-keygen -e -q serverpassword -p clientpassword

This is how you export the IFF Group Key to a file:

cd <your ntp keys dir>
ntp-keygen -e -q serverpassword -p clientpassword > ntpkey_IFFkey_servername

This is how you export the IFF Group Key and mail it to another

cd <your ntp keys dir>
ntp-keygen -e -q serverpassword -p clientpassword | mail admin at somewhere.com

IFF Group Keys may also be distributed via a web-form. My implementation
of one is at http://support.ntp.org/crypto.php; it distributes IFF keys
for that system.


It is no longer necessary to provide the client password when exporting
the IFF Group Key. This means that the IFF Group Key may be treated like
a PGP/GPG Public Key and made available for download, or distributed,
via insecure channels.

Steve Kostecke <kostecke at ntp.org>
NTP Public Services Project - http://support.ntp.org/

More information about the questions mailing list