Re: [chrony-users] NTS CA certificate

[ Thread Index | Date Index | More chrony.tuxfamily.org/chrony-users Archives ]

To: chrony-users@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [chrony-users] NTS CA certificate
From: Miroslav Lichvar <mlichvar@xxxxxxxxxx>
Date: Tue, 2 Mar 2021 10:43:44 +0100
Authentication-results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=mlichvar@xxxxxxxxxx
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1614678231; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=7t7EZWXvBUBUHg2Yy0ekeoU49W/9ufyqU6G0dUbG5Kw=; b=MGHlbBQiHrcdjxz53K/nEc9+W+Ft5zSSDTXTUyoV/TmExB1Skcbr/tG462HjyykPkvoZl4 xjhvJ6ABk2h+KEH7XwSHrmFpRaW0HMEBLprQ2Z2O6gtARtzd+mwE+iLaYTdHkHsSrp3LLZ Q0YXivquZKiGMrhy6tFv8OJ0FmVjeD0=

On Tue, Mar 02, 2021 at 06:39:24AM +0000, Alkistis Tsoulakou wrote:
>  Thank you both for the prompt answers.
> Just to ensure that I got it. If we need to configure the ntstrustedcerts file in chony client, relevant file should contain the actual certificates in PEM format. How relevant certificates can be created? 

Certificate authorities generate their certificates. You can have your
own certificate authority or you can use Let's Encrypt for example.
You can also use self-signed certificates.

It is the same as with HTTPS on a web server. There are many howtos on
Internet.

> Do we also need any special configuration in chrony sesrver to use special trusted CAs?

No, an NTS server just needs a file containing its own key and a file
containing its certificate with any intermediate certificates if
required.

> Sorry but I cannot find an example of such an NTS configuration.

Server has ntsserverkey and ntsservercert.

If the server's certificate is signed by a widely accepted certificate
authority (e.g. Let's Encrypt), the clients of the server should be ok
with the system's default trusted certificates.

The ntstrustedcerts directive is mainly useful if you don't want to
trust all system's trusted certificates, e.g. to minimize the impact
of disabling the certificate time checks, or if the servers have
self-signed certificates, or maybe a local NTS-specific certificate
authority.

-- 
Miroslav Lichvar

-- 
To unsubscribe email chrony-users-request@xxxxxxxxxxxxxxxxxxxx 
with "unsubscribe" in the subject.
For help email chrony-users-request@xxxxxxxxxxxxxxxxxxxx 
with "help" in the subject.
Trouble?  Email listmaster@xxxxxxxxxxxxxxxxxxxx.

References:
- [chrony-users] NTS CA certificate
  - From: Alkistis Tsoulakou
- Re: [chrony-users] NTS CA certificate
  - From: Miroslav Lichvar
- RE: [chrony-users] NTS CA certificate
  - From: Kohr, Alexander
- Re: [chrony-users] NTS CA certificate
  - From: Alkistis Tsoulakou

Messages sorted by: [ date | thread ]
Prev by Date: Re: [chrony-users] NTS CA certificate
Next by Date: Re: [chrony-users] Will it EVER synch and start serving?
Previous by thread: Re: [chrony-users] NTS CA certificate
Next by thread: [no subject]

Mail converted by MHonArc 2.6.19+

http://listengine.tuxfamily.org/