[ntp:questions] using certificates produced by a third party PKI instead of ntp-k eygen

Danny Mayer mayer at ntp.org
Mon Apr 27 02:55:12 UTC 2009


Bartholome, Alain wrote:
> Hi,
> I made some preliminary testing, using a third party certificate.
> I am using NTP version 4.2.5p158 on windows sever 2003.
> 
> In the test, there are 2 hosts, no group key, the third party certificate is
> on the client.
> 
> First of all I added a filestamp at the beginning of the certificate.
> I start NTP in debug mode on the client.
> 
> NTP aborts (Dr Watson) during the scanning of the certificate.
> 
> The last lines of the debug execution are :
> cert_parse: X509v3 Basic Constraints
> cert_parse: X509v3 Certificate Policies
> cert_parse: X509v3 CRL Distribution Points
> cert_parse: X509v3 Subject Alternative Name
> cert_parse: X509v3 Key Usage
> cert_parse: X509v3 Subject Key Identifier
> cert_parse: X509v3 Authority Key Identifier
> 
> The certificate is not self signed (the issuer name is not the hostname),
> contrary to the NTP specifications. (I cannot have self-signed certificate
> for now.) 
> 
> The third party certificate I am using is 2 kb long. In a Meinberg
> documentation, a maximum certificate size of 1024 bytes is specified.
> 
> I would like to know if this abort is due to that maximum certificate size.
>  
> Regards,
> 
> 
> Alain BARTHOLOMÉ

If you want to send me the actual certificate along with the
configuration file that you used to load it, I will see what I can
figure out. Just send that directly to me, we don't allow attachments to
the mailing list and you probably don't want to propogate it anyway.
Getting a Dr. Watson error is unusual so if you have the dump file,
please also send that. You should zip everything up before sending it.

Danny

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.




More information about the questions mailing list