[ntp:questions] using certificates produced by a third party PKI instead of ntp-k eygen

Bartholome, Alain alain.bartholome at eads.com
Thu Apr 23 12:32:50 UTC 2009

I made some preliminary testing, using a third party certificate.
I am using NTP version 4.2.5p158 on windows sever 2003.

In the test, there are 2 hosts, no group key, the third party certificate is
on the client.

First of all I added a filestamp at the beginning of the certificate.
I start NTP in debug mode on the client.

NTP aborts (Dr Watson) during the scanning of the certificate.

The last lines of the debug execution are :
cert_parse: X509v3 Basic Constraints
cert_parse: X509v3 Certificate Policies
cert_parse: X509v3 CRL Distribution Points
cert_parse: X509v3 Subject Alternative Name
cert_parse: X509v3 Key Usage
cert_parse: X509v3 Subject Key Identifier
cert_parse: X509v3 Authority Key Identifier

The certificate is not self signed (the issuer name is not the hostname),
contrary to the NTP specifications. (I cannot have self-signed certificate
for now.) 

The third party certificate I am using is 2 kb long. In a Meinberg
documentation, a maximum certificate size of 1024 bytes is specified.

I would like to know if this abort is due to that maximum certificate size.


-----Message d'origine-----
De la part de David Mills
Envoyé : mercredi 22 avril 2009 20:09
À : 'questions at lists.ntp.org'
Objet : Re: [ntp:questions] using certificates produced by a third party PKI
instead of ntp-k eygen


The syntax and semantics for certificates are in an appendix to the 
Autokey ID now in review. That document also explains some additional 
assumptions that might not be consistent with other uses. However, the 
trusted certificate (TC) scheme is most vanilla and should not be a 
problem. One problem I anticipate is the need to support the case of the 
certificate for the trusted host itself and the public IFF group key, 
which require an X509 extension field.


Bartholome, Alain wrote:

>I need to do some testing with certificates produced by a third party PKI
>instead of ntp-keygen.
>I would like to have the constraints and some guidelines in order   to test
>TC  and IFF identity schemes.
>questions mailing list
>questions at lists.ntp.org

questions mailing list
questions at lists.ntp.org

More information about the questions mailing list