Certificate pinning

Hal Murray halmurray at sonic.net
Mon Oct 25 03:20:39 UTC 2021

[It's been quite recently.]

I was thinking about certificates ...

I think we can implement pinning with the current code.

We need a script to fetch the certificate, follow the chain to see which root 
certificate it is using, find that certificate in the local root cert 
collection, and copy it to a safe place.

Then adjust ntp.conf to include ca <safe place>
ntpd will use that cert to verify the chain.

We need another script to verify/update things.  Maybe they are the same 
script with different options.

Does that sound right?

Is anybody familiar enough with the OpenSSL utilities to write that script?

These are my opinions.  I hate spam.

More information about the devel mailing list