Re: [chrony-users] NTS: Limiting |
[ Thread Index |
Date Index
| More chrony.tuxfamily.org/chrony-users Archives
]
- To: chrony-users@xxxxxxxxxxxxxxxxxxxx
- Subject: Re: [chrony-users] NTS: Limiting
- From: Miroslav Lichvar <mlichvar@xxxxxxxxxx>
- Date: Tue, 19 Jan 2021 17:03:26 +0100
- Authentication-results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=mlichvar@xxxxxxxxxx
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1611072270; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=NPaM9wd7Hj04UW+M6vJU3nnDPLh32jTYKJeyvXjs/vo=; b=VyVgMmfBshM4sMu1aRcJ4StPMbJG8NSo/gQd2iQxfFTmNcP8EU9G1+pbrBa+UeUw7uQE8H dLTHzUu0xEDHHgNgSOyp3ce+mUW9Utw2/otqb6CGhj1B0D/EYltyAV8PWJdTqJ/lKOm0gO KXsqLrwyJLoZIuJtILWU6583q+CL/pg=
On Tue, Jan 19, 2021 at 04:51:39PM +0100, Karol Babioch wrote:
> However, in my particular use-case I want to have NTS with certificates
> signed by Let's Encrypt, but only for specific domains (e.g. the ones
> that I control). I don't want to trust any server that has a valid Let's
> Encrypt certificate, so specifying the Let's Encrypt root CA won't do.
>
> Is there any way (currently or planned) to put in such constrains based
> on common name and/or subject alternative names (along with a specific CA)?
No, that's not currently supported. It sounds complicated. Do you have
any examples of other TLS clients implementing such functionality and
how their configuration looks like?
>
> Or can my use case be addressed differently?
If you control the specific servers signed by Let's Encrypt, maybe you
could trust all their certificates individually and then trust all the
system certificates except Let's Encrypt?
--
Miroslav Lichvar
--
To unsubscribe email chrony-users-request@xxxxxxxxxxxxxxxxxxxx
with "unsubscribe" in the subject.
For help email chrony-users-request@xxxxxxxxxxxxxxxxxxxx
with "help" in the subject.
Trouble? Email listmaster@xxxxxxxxxxxxxxxxxxxx.