[ntp:questions] ntp-keygen -H and update options

Joe Smithian joe.smithian at gmail.com
Fri May 13 14:05:29 UTC 2011

Hi All,

I am trying to configure a trusted NTP server and some clients using

ntp-keygen document:

-HGenerate a new encrypted RSA public/private host key file and link. Note
that if the sign key is the same as the host key, generating a new host key
invalidates all certificates signed with the old host key.My questions:

1-When we should use -H option? When generating new keys? updating
certificates? or both cases?

2-Does “-H” flag only generate RSA keys; not DSA even when we use –S DSA
option, as in the example below?

Let say we generate new keys using non-default options such as

e.g:    ntp-keygen generate -password mypasword -c RSA-SHA -S RSA -modulus

3- Should we use the same arguments when running ntp-keygen later to update
the certificates/keys? Is ntp-keygen smart enough to generate new
certificates of the same type as the existing one without specifying the
arguments? If not the problem is that if the user runs the ntp-keygen with
no or different arguments it may generate new certificates of different

I would appreciate your comments.



More information about the questions mailing list