Self Signed Certs

Rich Schmidt schmidt.rich at gmail.com
Thu May 7 16:42:20 UTC 2020


I am still stymied trying to test NTPsec with self-signed certs. Still
getting "unknown ca" on the server. I would appreciate any assistance in
this effort.
With thanks, Rich Schmidt

I ran this on server "pluto" and on client "ptp":

# Set up self-signed certificates
server=$1    # pluto  or ptp
#create CA
openssl genrsa  -out ca.key 4096
openssl req -new -x509 -days 365 -key ca.key -out ca.crt
#
# Generate  private certificate
#
openssl genrsa  -out $server.key 4096
#
# Create public certificate by signing with our  CA
#
# Generate  certificate signing request
openssl req -new -key $server.key -out $server.csr
#
# Create public certificate by signing with our  CA
openssl x509 -req -days 365 -in $server.csr -CA ca.crt -CAkey ca.key
-set_serial 01 -out $server.crt
#
cat ca.crt $server.crt > nts.crt
cat ca.key $server.key > nts.key
-------------------------------------------------
Server "pluto" ntp.conf:
nts enable ca /var/lib/ntp/certs/
nts key /var/lib/ntp/certs/nts.key
nts cert /var/lib/ntp/certs/nts.crt
nts cookie /var/lib/ntp/nts-keys
---------------------------------------------
Server "pluto" log:
2020-05-07T16:23:51 ntpd[27974]: INIT: OpenSSL 1.0.2k-fips  26 Jan 2017,
100020bf
2020-05-07T16:23:51 ntpd[27974]: NTSs: starting NTS-KE server listening on
port 123
2020-05-07T16:23:51 ntpd[27974]: NTSs: loaded certificate (chain) from
/var/lib/ntp/certs/nts.crt
2020-05-07T16:23:51 ntpd[27974]: NTSs: loaded private key from
/var/lib/ntp/certs/nts.key
2020-05-07T16:23:51 ntpd[27974]: NTSs: Private Key OK
2020-05-07T16:23:51 ntpd[27974]: NTSs: listen4 worked
2020-05-07T16:23:51 ntpd[27974]: NTSs: listen6 worked
2020-05-07T16:23:51 ntpd[27974]: NTSc: Using dir /var/lib/ntp/certs/ for
root certificates.
2020-05-07T16:24:58 ntpd[27974]: NTSs: TCP accept-ed from 10.0.0.175:43498
2020-05-07T16:24:58 ntpd[27974]: NTSs: SSL accept from 10.0.0.175:43498
failed, 0.004 sec
2020-05-07T16:24:58 ntpd[27974]: NTS: error:14094418:SSL
routines:ssl3_read_bytes:tlsv1 alert unknown ca
-----------------------------------------------
Client "ptp" ntp.conf:
server pluto nts ca /var/lib/ntp/certs/
------------------------------------------------
Client "ptp" log:
2020-05-07T16:31:11 ntpd[31511]: INIT: OpenSSL 1.0.2k-fips  26 Jan 2017,
100020bf
2020-05-07T16:31:11 ntpd[31511]: NTSc: Using system default root
certificates.
2020-05-07T16:31:12 ntpd[31511]: DNS: dns_probe: pluto, cast_flags:1,
flags:21801
2020-05-07T16:31:12 ntpd[31511]: NTSc: DNS lookup of pluto took 0.000 sec
2020-05-07T16:31:12 ntpd[31511]: NTSc: nts_probe connecting to pluto:123 =>
10.0.0.200:123
2020-05-07T16:31:12 ntpd[31511]: NTSc: Using dir /var/lib/ntp/certs/ for
root certificates.
2020-05-07T16:31:12 ntpd[31511]: NTSc: SSL_connect failed
2020-05-07T16:31:12 ntpd[31511]: NTS: error:14090086:SSL
routines:ssl3_get_server_certificate:certificate verify failed
2020-05-07T16:31:12 ntpd[31511]: NTSc: NTS-KE req to pluto took 0.013 sec,
fail
-----------------------------------------------
On server:
cat nts.crt | openssl verify
stdin: C = US, ST = DC, L = Washington, O = RE Schmidt, CN = pluto
error 18 at 0 depth lookup:self signed certificate
OK
------------------------------------------------
On client:
cat nts.crt | openssl verify
stdin: C = US, ST = DC, L = Washington, O = RE Schmidt, CN = ptp
error 18 at 0 depth lookup:self signed certificate
OK


-- 
“The ideal subject of totalitarian rule is not the convinced Nazi or the
convinced communist, but people for whom the distinction between fact and
fiction . . . and the distinction between true and false . . . no longer
exist.” —Hanna Arendt, “The Origins of Totalitarianism” (1951)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ntpsec.org/pipermail/devel/attachments/20200507/476ef597/attachment.htm>


More information about the devel mailing list