| RE: [chrony-users] NTS CA certificate |
[ Thread Index |
Date Index
| More chrony.tuxfamily.org/chrony-users Archives
]
- To: "chrony-users@xxxxxxxxxxxxxxxxxxxx" <chrony-users@xxxxxxxxxxxxxxxxxxxx>
- Subject: RE: [chrony-users] NTS CA certificate
- From: "Kohr, Alexander" <Alexander.Kohr@xxxxxxxxxxxxxxx>
- Date: Mon, 1 Mar 2021 14:44:07 +0000
- Accept-language: en-US
- Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=tuhs.temple.edu; dmarc=pass action=none header.from=tuhs.temple.edu; dkim=pass header.d=tuhs.temple.edu; arc=none
- Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=sNH/RxBtji79S+924owSXku9VpjlzhymsNToWIuEKDM=; b=cQyLcw0xRHD9h5E7EGLPylXoFUg1npt44IYkrTdYPDuuN1/BDQETIWh/tvcE8HxhTeoM6yqhL/ZUesv6iKl3luMDdZ7PfXACCFdqFoVnODnBFY17xrbp8aj2yPYOwb079dvT62HniapxiP4AbjXHMPoeQLauckIJmcIRqlXDJqxw6rwbpD/WLLuLrny5Sp75y20oj3EKxWHJ/I+gL8In23XJWzSdxSpyuMonYKGXyyxqK0VemnKKDvPFPLWcfZwEUsEQJGQrALMcUgsfbZYE0Gz5gBOyd2G/UpCVICSa8fMXQCZTo6LnSFdarG5b5QeyBVhz2jw0UQe6fo9oRH57ug==
- Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Lya0YCcXCp05Blv3PPsOy+Oaoc+5TZAkQ4iQtOpmM8EJbDnNVCZ0eGqt0w32Wc91n/JdkrStEGlTgbaTYYDUkz8GqscIrNaiVdFwR90n2SlroVGT8jxK7BNXwYcTsPwnZUaHXPLOF342SnqFtHh8Gyj2iX+/YasHU8a3PSvkkOf29LMWTJynwGbj3WvbtyMV6FyVF4I1uNhzXpffEjWkcJX/NcIaVGosRyEnV8VSt6SwF6gqq3zGefY4/h+3I0RUgiVXnH358osUm2V3SL7S7Rcm7FcSGtWSSj4Tc1feMOh27AW6akd6bSFZismFraSd4bwt3K20RU6Gm9bt5pKZkg==
- Authentication-results: chrony.tuxfamily.org; dkim=none (message not signed) header.d=none;chrony.tuxfamily.org; dmarc=none action=none header.from=tuhs.temple.edu;
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tuhs.onmicrosoft.com; s=selector2-tuhs-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=sNH/RxBtji79S+924owSXku9VpjlzhymsNToWIuEKDM=; b=EymWrAWwaWqoQXfrxNOxyGBEox6a6sAYUQm8ry8qp+UGlwp9oKIY8xOBjlUEkeryroKO+w6cBoHI7cWsjVWGSQV+DUcPg0W3/kQrmdV9I0otiGicoPlYL4QM8Ybz7/ymeFiulxmwQBha4RFquw26TOK66zCaU0mrRlCm1tEbAQI=
- Thread-index: AQHXDp5RFs7pJm8PC0iQQqZE/oGO46pvJNMAgAAAS8A=
- Thread-topic: [chrony-users] NTS CA certificate
No need for you to explain why you are doing this, as there could be some valid reasons for only wanting chrony to trust a certificate authority. However it might be easier and more beneficial to just use the system wide trust authority for the certificate so that it is available for other applications that use the systems wide trust store.
Since you mentioned RHEL 8 in your previous email here is how to do that.
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/using-shared-system-certificates_security-hardening
Note my understanding is that for items placed in the /etc paths can't be overridden and items put in /usr paths can be overridden by stuff in /etc/, though other linux variants seem to only have /usr/ paths, so if you are in a mixed linux environment and consistency is important then you may want to use that .
-----Original Message-----
From: Miroslav Lichvar [mailto:mlichvar@xxxxxxxxxx]
Sent: Monday, March 1, 2021 8:45 AM
To: chrony-users@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [chrony-users] NTS CA certificate
EXTERNAL sender! Do you TRUST this email? If you are unsure, send the email to InfoSec for review by using the Report Phish button.
________________________________
On Mon, Mar 01, 2021 at 01:22:41PM +0000, Alkistis Tsoulakou wrote:
> Hello,
> I would like to ask you regarding the ntstrustedcerts file parameter present in chrony.
> From my understanding this parameter is applicable to chrony client and is an optional one. Correct?
Yes.
> If not configured then only default trusted CA's are used.If configured then we should specify the exact filename containing the certificates.
> Correct?
Yes.
> If we do want to use special trusted CA's which configuration is needed in chrony client?
Only ntstrustedcerts and possibly nosystemcert if you don't want to trust the system's default certificates.
--
Miroslav Lichvar
--
To unsubscribe email chrony-users-request@xxxxxxxxxxxxxxxxxxxx
with "unsubscribe" in the subject.
For help email chrony-users-request@xxxxxxxxxxxxxxxxxxxx
with "help" in the subject.
Trouble? Email listmaster@xxxxxxxxxxxxxxxxxxxx.
________________________________
This electronic message is intended to be for the use of the named recipient, and may contain information that is confidential or privileged. This communication may contain protected health information (PHI) that is legally protected from inappropriate disclosure by the Privacy Standards of the Health Insurance Portability and Accountability Act (HIPAA) and relevant Pennsylvania Laws. You can direct questions concerning PHI or HIPAA to the Corporate Compliance and Privacy Officer at (215) 707-5605. If you are not the intended recipient, please note that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this message in error, you should notify the sender immediately by telephone or by return e-mail and delete and destroy all copies of this message.
--
To unsubscribe email chrony-users-request@xxxxxxxxxxxxxxxxxxxx
with "unsubscribe" in the subject.
For help email chrony-users-request@xxxxxxxxxxxxxxxxxxxx
with "help" in the subject.
Trouble? Email listmaster@xxxxxxxxxxxxxxxxxxxx.