[ntp:questions] Autokey Certificate Update

David L. Mills mills at udel.edu
Fri Jan 4 20:27:09 UTC 2008


You are correct; the new certificate is not used until after restarting 
the daemon. When restarted the next upstratum a client automatically 
restart the protocol (not the daemon). They all get well shortly after 
sending the next poll. As this happens the client finds a more recent 
certificate and replaces the old one.

However, the next upstratum clients after that doesn't see this, since 
the certificate cache is still valid, even if it contains an old 
certificate and the just regenerated self-signed nontrusted certificate 
is not on the trail.

It is still best practices to refresh the certificates sometime during 
the hear, but it is also best practices to restart the machine at that 
time. Right in the development version I have just put in a gimmick that 
remobilizes each client association once per week. If cetificates are 
refreshed maybe once every month or two, the changes should trickle 
upstratum at that rate, so only the machine with regenerated certificate 
needs to be restarted..


Steve wrote:

> Hi,
> The advice on the Autokey configuration page,
> http://support.ntp.org/bin/view/Support/ConfiguringAutokey
> is to update the server and client key/certificate monthly since the
> cert is only good for 1 year. When I run the cert update commands
> provided on the link above, a new cert and link is generated and
> Autokey NTP continues to run fine. However, it does not appear that
> NTP actually uses the new cert until it is restarted. I determined
> this by examining the output of the ntpq -c "rv 0 cert" command also
> provided in the link above.
> I want to know if the new cert is used only after a restart because
> otherwise we might think the certs are being updated only to find NTP
> Autokey broken 1 year later when the cert in use expires. So is the
> real procedure to update the cert then restart NTP on a periodic
> basis? Any way to tell NTP to pickup the new cert without restarting
> the daemon?
> In a separate (hopefully) issue, I only can get Autokey to work when
> the password I use in ntp.conf and the ntp-keygen commands are
> identical for the client and server; however the link above implies
> there are (or can be) 2 distinct password, namely the clientpassword
> and serverpassword.
> I am using IFF and use ntp-keygen -T -I -p serverpassword on the
> server and use
> ntp-keygen -H -p clientpassword on the client.
> I ftp the IFF parameters file from the server to the client and
> install it as indicated in the link above. I suspect my issue might be
> with the following statement from the link:
> "You must export an IFF Group Key for each client using that client's
> password. " I am not sure what is meant by this and did not do this
> step...I just ftped the IFF file to the client.
> I really appreciate the help...and sorry for the double question.
> Steve

More information about the questions mailing list