[ntp:questions] Autokey Certificate Update

Steve throindarts at yahoo.com
Tue Jan 8 01:03:21 UTC 2008

On Jan 3, 3:17 pm, Steve Kostecke <koste... at ntp.org> wrote:
> On 2008-01-03, Steve <throinda... at yahoo.com> wrote:
> > The advice on the Autokey configuration page,
> >http://support.ntp.org/bin/view/Support/ConfiguringAutokey
> I'm the original author of that "page".
> It should be noted that this material applies to the current stable
> release and does not reflect any Autokey updates in the dev release.
> > is to update the server and client key/certificate monthly since the
> > cert is only good for 1 year.
> The "Error Codes" section ofhttp://www.cis.udel.edu/~mills/ntp/html/authopt.htmlstates "One of the
> most common errors is expired certificates, which must be regenerated
> and signed at least once per year using the ntp-keygen program."
> The recommendation to update the server certificate on a more frequent
> basis (e.g. monthly) can be found in a number of places including the
> NTP FAQ athttp://www.ntp.org/ntpfaq/NTP-s-config-adv.htm. I know I've
> seen it elsewhere.
> > When I run the cert update commands provided on the link above, a new
> > cert and link is generated and Autokey NTP continues to run fine.
> > However, it does not appear that NTP actually uses the new cert until
> > it is restarted. I determined this by examining the output of the ntpq
> > -c "rv 0 cert" command also provided in the link above.
> That's interesting.
> > I want to know if the new cert is used only after a restart because
> > otherwise we might think the certs are being updated only to find NTP
> > Autokey broken 1 year later when the cert in use expires.
> It has always been my understanding the ntpd reloads the cert when the
> protocol restarts (~ daily).
> > So is the real procedure to update the cert then restart NTP on a
> > periodic basis?
> It may be necessary to add a restart to the certificate update
> procedure.
> > Any way to tell NTP to pickup the new cert without restarting the
> > daemon?
> Not that I'm aware of.
> It should be noted that a well tempered ntpd (i.e. iburst on the server
> lines, good drift-file, operating in state 4) is available almost
> immediately after a "warm restart".
> > In a separate (hopefully) issue, I only can get Autokey to work when
> > the password I use in ntp.conf and the ntp-keygen commands are
> > identical for the client and server; however the link above implies
> > there are (or can be) 2 distinct password, namely the clientpassword
> > and serverpassword.
> > I am using IFF and use ntp-keygen -T -I -p serverpassword on the
> > server and use
> > ntp-keygen -H -p clientpassword on the client.
> > I ftp the IFF parameters file from the server to the client and
> > install it as indicated in the link above.
> The full text you are refering to is:
> | IFF Group Keys
> |
> | Obtain the IFF group key, exported in IFF Parameters via a
> | secure means (e.g. an SSL Web Form or encrypted e-mail), copy the key
> | file to the keysdir, and create the standard sym-link:
> Section explains the IFF Parameter generation process and how
> to export the IFF Group Key (or IFF Client Key).
> The IFFpar file is supposed to stay on the server (unless you are using
> the latest ntp-dev and fall in to a certain category).
> > I suspect my issue might be with the following statement from the
> > link: "You must export an IFF Group Key for each client using that
> > client's password." I am not sure what is meant by this and did not
> > do this step...I just ftped the IFF file to the client.
> You may not have read to the end of sections Or, if you did,
> the example was confusing.
> This is how you export the IFF Group Key to the console:
> cd <your ntp keys dir>
> ntp-keygen -e -q serverpassword -p clientpassword
> This is how you export the IFF Group Key to a file:
> cd <your ntp keys dir>
> ntp-keygen -e -q serverpassword -p clientpassword > ntpkey_IFFkey_servername
> This is how you export the IFF Group Key and mail it to another
> system:
> cd <your ntp keys dir>
> ntp-keygen -e -q serverpassword -p clientpassword | mail ad... at somewhere.com
> IFF Group Keys may also be distributed via a web-form. My implementation
> of one is athttp://support.ntp.org/crypto.php;it distributes IFF keys
> for that system.

> It is no longer necessary to provide the client password when exporting
> the IFF Group Key. This means that the IFF Group Key may be treated like
> a PGP/GPG Public Key and made available for download, or distributed,
> via insecure channels.
> --
> Steve Kostecke <koste... at ntp.org>
> NTP Public Services Project -http://support.ntp.org/

Steve, Thanks a lot for helping me with the specifics of IFF. I did
read that part about exporting the IFF parms but guess I thought it
was an additional optional step or something. I exported the IFF parms
and Autokey works like a charm.

For the record I am using stable version 4.2.0

thanks for your comments on the certificate update. So if I follow you
correctly, I should update the certificates on both the client and
server (for my case I ony use Autokey from s3 client to a s2 server)
and need to restart the daemon on both for my 4.2.0 version of NTP. If
I was using your gimmicky version, I would only need to restart the
server daemon.


More information about the questions mailing list