[ntp:questions] ntp-keygen -H and update options

David L. Mills mills at udel.edu
Fri May 13 20:16:33 UTC 2011


Joe,

The documentation is rather specific. If you generate a new host or sign 
key, the certificates are invalid and should be regenerated. Running 
ntp-keygen with now arguments generates a new certificate of the same 
type and signature as the existing one.

Dave


Joe Smithian wrote:

>Hi All,
>
>I am trying to configure a trusted NTP server and some clients using
>Autokey.
>
>ntp-keygen document:
>
>
>-HGenerate a new encrypted RSA public/private host key file and link. Note
>that if the sign key is the same as the host key, generating a new host key
>invalidates all certificates signed with the old host key.My questions:
>
>1-When we should use -H option? When generating new keys? updating
>certificates? or both cases?
>
>
>
>2-Does “-H” flag only generate RSA keys; not DSA even when we use –S DSA
>option, as in the example below?
>
>
>
>Let say we generate new keys using non-default options such as
>
>e.g:    ntp-keygen generate -password mypasword -c RSA-SHA -S RSA -modulus
>1024
>
>
>
>3- Should we use the same arguments when running ntp-keygen later to update
>the certificates/keys? Is ntp-keygen smart enough to generate new
>certificates of the same type as the existing one without specifying the
>arguments? If not the problem is that if the user runs the ntp-keygen with
>no or different arguments it may generate new certificates of different
>type.
>
>
>
>
>I would appreciate your comments.
>
>Regards
>
>Joe
>_______________________________________________
>questions mailing list
>questions at lists.ntp.org
>http://lists.ntp.org/listinfo/questions
>  
>




More information about the questions mailing list