Self Signed Certs

Hal Murray hmurray at
Thu May 7 20:10:12 UTC 2020

If I read things correctly, you are signing the server's certificate with your 
root certificate.  I tested with an intermediate cert in there.  I don't know 
any reason your case won't work, but it's not how I tested things.

[on server]
2020-05-07T16:24:58 ntpd[27974]: NTS: error:14094418:SSL
routines:ssl3_read_bytes:tlsv1 alert unknown ca

I think the "alert" is trying to tell you that it is relaying a message from 
the client.  The client bailed because it can't verify your certificate.

[on client]
server pluto nts ca /var/lib/ntp/certs/

That's a directory rather than a file.  Again, not how I test things, but I 
don't see any reason it won't work.

I assume you put the servers root certificate in there.
There is some dance you have to go through to setup a directory.  OpenSSL uses 
a hash.  There is a utility that finds the certificates and sets up links from 
the hash name to the real certificate, or something like that.

It seemed simpler to avoid that step by using a file rather than directory.
  server <server-FQDN> nts ca <file-name-for-root-cert>


The name you use on the server line has to match the name in the certificate.  
Usually, that is a FQDN.  I tested using  Again, I don't know any 
reason why a short name won't work but it's not how I tested things.

These are my opinions.  I hate spam.

More information about the devel mailing list