[ntp:questions] using certificates produced by a third party PKI instead of ntp-k eygen

Danny Mayer mayer at ntp.org
Mon Apr 27 02:55:12 UTC 2009

Bartholome, Alain wrote:
> Hi,
> I made some preliminary testing, using a third party certificate.
> I am using NTP version 4.2.5p158 on windows sever 2003.
> In the test, there are 2 hosts, no group key, the third party certificate is
> on the client.
> First of all I added a filestamp at the beginning of the certificate.
> I start NTP in debug mode on the client.
> NTP aborts (Dr Watson) during the scanning of the certificate.
> The last lines of the debug execution are :
> cert_parse: X509v3 Basic Constraints
> cert_parse: X509v3 Certificate Policies
> cert_parse: X509v3 CRL Distribution Points
> cert_parse: X509v3 Subject Alternative Name
> cert_parse: X509v3 Key Usage
> cert_parse: X509v3 Subject Key Identifier
> cert_parse: X509v3 Authority Key Identifier
> The certificate is not self signed (the issuer name is not the hostname),
> contrary to the NTP specifications. (I cannot have self-signed certificate
> for now.) 
> The third party certificate I am using is 2 kb long. In a Meinberg
> documentation, a maximum certificate size of 1024 bytes is specified.
> I would like to know if this abort is due to that maximum certificate size.
> Regards,

If you want to send me the actual certificate along with the
configuration file that you used to load it, I will see what I can
figure out. Just send that directly to me, we don't allow attachments to
the mailing list and you probably don't want to propogate it anyway.
Getting a Dr. Watson error is unusual so if you have the dump file,
please also send that. You should zip everything up before sending it.


This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the questions mailing list