[ntp:questions] Problem using ntp autokey with the trusted ce rtificate identity s cheme

Bartholome, Alain alain.bartholome at eads.com
Tue Feb 10 15:38:16 UTC 2009

I downloaded the development version of NTP (4.2.5p158), I installed it on
all the systems, I kept  the certificates and the same configuration (except
the logconfig line  of ntp.conf) especially one trusted system.
It works. 
The synchronization of server3 occurred quite quickly.
I am quite worried about the release version...
Thanks for your help.

-----Message d'origine-----
De : questions-bounces+alain.bartholome=eads.com at lists.ntp.org
[mailto:questions-bounces+alain.bartholome=eads.com at lists.ntp.org] De la
part de Martin Burnicki
Envoyé : mardi 10 février 2009 10:17
À : questions at lists.ntp.org
Objet : Re: [ntp:questions] Problem using ntp autokey with the trusted
certificate identity scheme

Steve Kostecke wrote:
> On 2009-02-10, Danny Mayer <mayer at ntp.isc.org> wrote:
>> Steve Kostecke wrote:
>> [---=| Quote block shrinked by t-prot: 24 lines snipped |=---]
>>>> server3 does not synchronize with server2
>>> The problem here is that you want to operate _two_ trust groups:
>>> server2 trusts serverT1
>>> server3 trusts server2
>>> Server3 needs to be able to trust server2. Try regenerating the
>>> paramters on server2 using '-T'.
>> My understanding from what Dave has said is that the newer versions of
>> the development branch supports multiple trust groups.
> You missed the point. The OP has set up a _chain_ of two trust groups.
> This is not a problem with one ntpd serving multiple trust groups.
> The server for the second trust group needs to have a trusted cert so
> that it will be trused by its client.

This is an interesting setup, but should not be very uncommon.

Has anyone *tried* to configure autokey so that a machine is a client which
uses one certificate for his upstream server, and additionally acts as a
server who provides its own certificate to its clients?

This setup should also be mentioned in 

Martin Burnicki

Meinberg Funkuhren
Bad Pyrmont

questions mailing list
questions at lists.ntp.org

More information about the questions mailing list