| Re: [chrony-users] NTS: Limiting |
[ Thread Index |
Date Index
| More chrony.tuxfamily.org/chrony-users Archives
]
On Tue, Jan 19, 2021 at 04:51:39PM +0100, Karol Babioch wrote:
> Hi all,
>
> first of all let me thank you for being involved with the development
> and implementation of NTS. It's great to see NTS support in chrony!
>
> I'm still somewhat new to the topic, but read through the available
> documentation.
>
> I'm currently wondering whether it is possible to put more specific
> constrains on the certificates that are to be considered valid for
> initial contact with NTS servers.
>
> My understanding is that by default any certificate signed by the
> system's default trusted CAs will be accepted. This can be narrowed down
> by the "ntstrustedcerts". Along with "nosystemcerts" we have some
> control over which CAs are to be allowed.
>
> However, in my particular use-case I want to have NTS with certificates
> signed by Let's Encrypt, but only for specific domains (e.g. the ones
> that I control). I don't want to trust any server that has a valid Let's
> Encrypt certificate, so specifying the Let's Encrypt root CA won't do.
>
> Is there any way (currently or planned) to put in such constrains based
> on common name and/or subject alternative names (along with a specific CA)?
Using only the Let's Encrypt root CA is what you want to do.
The name in the certificate is checked against the hostname you've
put in the config. So if you only trust Let's encrypt, you're
also limiting it to matching hostnames issued by Let's encrypt.
Kurt
--
To unsubscribe email chrony-users-request@xxxxxxxxxxxxxxxxxxxx
with "unsubscribe" in the subject.
For help email chrony-users-request@xxxxxxxxxxxxxxxxxxxx
with "help" in the subject.
Trouble? Email listmaster@xxxxxxxxxxxxxxxxxxxx.