Re: [chrony-users] NTS CA certificate

[ Thread Index | Date Index | More chrony.tuxfamily.org/chrony-users Archives ]


Thank you both for the prompt answers.

Just to ensure that I got it. 
If we need to configure the ntstrustedcerts file in chony client, relevant file should contain the actual certificates in PEM format. 
How relevant certificates can be created? 

Do we also need any special configuration in chrony sesrver to use special trusted CAs?

Sorry but I cannot find an example of such an NTS configuration.

Thanks again,
Alkistis
Στις Δευτέρα, 1 Μαρτίου 2021, 04:44:18 μ.μ. EET, ο χρήστης Kohr, Alexander <alexander.kohr@xxxxxxxxxxxxxxx> έγραψε:


No need for you to explain why you are doing this, as there could be some valid reasons for only wanting chrony to trust a certificate authority. However it might be easier and more beneficial to just use the  system wide trust authority for the certificate so that it is available for other applications that use the systems wide trust store.

Since you mentioned RHEL 8 in your previous email here is how to do that.
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/using-shared-system-certificates_security-hardening

Note my understanding is that for items placed in the /etc paths can't be overridden and items put in /usr paths can be overridden by stuff in /etc/, though other linux variants seem to only have /usr/ paths, so if you are in a mixed linux environment and consistency is important then you may want to use that .



-----Original Message-----
From: Miroslav Lichvar [mailto:mlichvar@xxxxxxxxxx]
Sent: Monday, March 1, 2021 8:45 AM
To: chrony-users@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [chrony-users] NTS CA certificate

EXTERNAL sender! Do you TRUST this email? If you are unsure, send the email to InfoSec for review by using the Report Phish button..
________________________________


On Mon, Mar 01, 2021 at 01:22:41PM +0000, Alkistis Tsoulakou wrote:
> Hello,
> I would like to ask you regarding the ntstrustedcerts file parameter present in chrony.
> From my understanding this parameter is applicable to chrony client and is an optional one. Correct?

Yes.

> If not configured then only default trusted CA's are used.If configured then we should specify the exact filename containing the certificates.
> Correct?

Yes.

> If we do want to use special trusted CA's which configuration is needed in chrony client?

Only ntstrustedcerts and possibly nosystemcert if you don't want to trust the system's default certificates.

--
Miroslav Lichvar


--
To unsubscribe email chrony-users-request@xxxxxxxxxxxxxxxxxxxx
with "unsubscribe" in the subject.
For help email chrony-users-request@xxxxxxxxxxxxxxxxxxxx
with "help" in the subject.
Trouble?  Email listmaster@xxxxxxxxxxxxxxxxxxxx.


________________________________

This electronic message is intended to be for the use of the named recipient, and may contain information that is confidential or privileged. This communication may contain protected health information (PHI) that is legally protected from inappropriate disclosure by the Privacy Standards of the Health Insurance Portability and Accountability Act (HIPAA) and relevant Pennsylvania Laws. You can direct questions concerning PHI or HIPAA to the Corporate Compliance and Privacy Officer at (215) 707-5605. If you are not the intended recipient, please note that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this message in error, you should notify the sender immediately by telephone or by return e-mail and delete and destroy all copies of this message.


--
To unsubscribe email chrony-users-request@xxxxxxxxxxxxxxxxxxxx
with "unsubscribe" in the subject.
For help email chrony-users-request@xxxxxxxxxxxxxxxxxxxx
with "help" in the subject.
Trouble?  Email listmaster@xxxxxxxxxxxxxxxxxxxx.



Mail converted by MHonArc 2.6.19+ http://listengine.tuxfamily.org/