NTS: removed "not implemented" on server ca
Richard Laager
rlaager at wiktel.com
Wed Apr 3 05:35:07 UTC 2019
On 4/2/19 8:42 PM, Gary E. Miller via devel wrote:
>> B) You can specify a directory, in which case the certificates must be
>> named (or more typically, symlinked) with their hash; see `openssl
>> rehash`. Note that the files processed by `openssl rehash` must have
>> one certificate per file.
>
> I'm just going by the ntp.conf doc. Which does not mention that.
Good point. I created this MR to document it:
https://gitlab.com/NTPsec/ntpsec/merge_requests/993
> I'm not gonna edit .pem files, real users can't figure out how to do
> that.
Right, that suggestion was just for testing.
> So I put the LE chain.pem and cert.pem in /tmp. Then did the rehash.
> That yielded the hash links.
Excellent.
> If I delete the hash to chain.pem then it fails again. So the hash to
> cert.pem does not help.
Perfect. That's exactly how it should work. The "ca" option specifies
CAs, not end certificates.
Does it work with "ca chain.pem" (specifying a file, as opposed to a
directory)? If you already tested this earlier in the thread and I
missed it, ignore me.
> Of the things I'd like to force, cert.pem is
> the top of my list.
Pinning the end cert is a separate issue.
>> See if that works with "ca=/tmp/certs" in ntp.conf.
>
> Are you sure about the equal sign? Not what "man ntp.conf" says:
You're right. No equals. I typed that too fast.
--
Richard
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ntpsec.org/pipermail/devel/attachments/20190403/9a7e93da/attachment-0001.bin>
More information about the devel
mailing list