NTS: removed "not implemented" on server ca

Richard Laager rlaager at wiktel.com
Wed Apr 3 05:35:07 UTC 2019

On 4/2/19 8:42 PM, Gary E. Miller via devel wrote:
>> B) You can specify a directory, in which case the certificates must be
>> named (or more typically, symlinked) with their hash; see `openssl
>> rehash`. Note that the files processed by `openssl rehash` must have
>> one certificate per file.
> I'm just going by the ntp.conf doc.  Which does not mention that.

Good point. I created this MR to document it:

> I'm not gonna edit .pem files, real users can't figure out how to do
> that.

Right, that suggestion was just for testing.

> So I put the LE chain.pem and cert.pem in /tmp.  Then did the rehash.
> That yielded the hash links.


> If I delete the hash to chain.pem then it fails again.  So the hash to
> cert.pem does not help.

Perfect. That's exactly how it should work. The "ca" option specifies
CAs, not end certificates.

Does it work with "ca chain.pem" (specifying a file, as opposed to a
directory)? If you already tested this earlier in the thread and I
missed it, ignore me.

> Of the things I'd like to force, cert.pem is
> the top of my list.

Pinning the end cert is a separate issue.

>> See if that works with "ca=/tmp/certs" in ntp.conf.
> Are you sure about the equal sign?  Not what "man ntp.conf" says:

You're right. No equals. I typed that too fast.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ntpsec.org/pipermail/devel/attachments/20190403/9a7e93da/attachment-0001.bin>

More information about the devel mailing list