<div dir="ltr"><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small"><br clear="all"></div><div style="font-family:arial,helvetica,sans-serif;font-size:small" class="gmail_default">I am still stymied trying to test NTPsec with self-signed certs. Still getting "unknown ca" on the server. I would appreciate any assistance in this effort.</div><div style="font-family:arial,helvetica,sans-serif;font-size:small" class="gmail_default">With thanks, Rich Schmidt</div><div style="font-family:arial,helvetica,sans-serif;font-size:small" class="gmail_default"><br></div><div style="font-family:arial,helvetica,sans-serif;font-size:small" class="gmail_default">I ran this on server "pluto" and on client "ptp":</div><div style="font-family:arial,helvetica,sans-serif;font-size:small" class="gmail_default"><br></div><div style="font-family:arial,helvetica,sans-serif;font-size:small" class="gmail_default"># Set up self-signed certificates<br></div><div style="font-family:arial,helvetica,sans-serif;font-size:small" class="gmail_default">server=$1    # pluto  or ptp<br>#create CA<br>openssl genrsa  -out ca.key 4096<br>openssl req -new -x509 -days 365 -key ca.key -out ca.crt<br>#<br># Generate  private certificate<br>#<br>openssl genrsa  -out $server.key 4096<br>#<br># Create public certificate by signing with our  CA<br>#<br># Generate  certificate signing request<br>openssl req -new -key $server.key -out $server.csr<br>#<br># Create public certificate by signing with our  CA<br>openssl x509 -req -days 365 -in $server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out $server.crt<br>#<br>cat ca.crt $server.crt > nts.crt<br>cat ca.key $server.key > nts.key</div><div style="font-family:arial,helvetica,sans-serif;font-size:small" class="gmail_default">-------------------------------------------------</div><div style="font-family:arial,helvetica,sans-serif;font-size:small" class="gmail_default">Server "pluto" ntp.conf:</div><div style="font-family:arial,helvetica,sans-serif;font-size:small" class="gmail_default">nts enable ca /var/lib/ntp/certs/ <br>nts key /var/lib/ntp/certs/nts.key <br>nts cert /var/lib/ntp/certs/nts.crt<br>nts cookie /var/lib/ntp/nts-keys</div><div style="font-family:arial,helvetica,sans-serif;font-size:small" class="gmail_default">---------------------------------------------<br></div><div style="font-family:arial,helvetica,sans-serif;font-size:small" class="gmail_default">Server "pluto" log:</div><div style="font-family:arial,helvetica,sans-serif;font-size:small" class="gmail_default">2020-05-07T16:23:51 ntpd[27974]: INIT: OpenSSL 1.0.2k-fips  26 Jan 2017, 100020bf<br>2020-05-07T16:23:51 ntpd[27974]: NTSs: starting NTS-KE server listening on port 123<br>2020-05-07T16:23:51 ntpd[27974]: NTSs: loaded certificate (chain) from /var/lib/ntp/certs/nts.crt<br>2020-05-07T16:23:51 ntpd[27974]: NTSs: loaded private key from /var/lib/ntp/certs/nts.key<br>2020-05-07T16:23:51 ntpd[27974]: NTSs: Private Key OK<br>2020-05-07T16:23:51 ntpd[27974]: NTSs: listen4 worked<br>2020-05-07T16:23:51 ntpd[27974]: NTSs: listen6 worked<br>2020-05-07T16:23:51 ntpd[27974]: NTSc: Using dir /var/lib/ntp/certs/ for root certificates.<br>2020-05-07T16:24:58 ntpd[27974]: NTSs: TCP accept-ed from <a href="http://10.0.0.175:43498">10.0.0.175:43498</a><br>2020-05-07T16:24:58 ntpd[27974]: NTSs: SSL accept from <a href="http://10.0.0.175:43498">10.0.0.175:43498</a> failed, 0.004 sec<br>2020-05-07T16:24:58 ntpd[27974]: NTS: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca<br></div><div style="font-family:arial,helvetica,sans-serif;font-size:small" class="gmail_default">-----------------------------------------------</div><div style="font-family:arial,helvetica,sans-serif;font-size:small" class="gmail_default">Client "ptp" ntp.conf:</div><div style="font-family:arial,helvetica,sans-serif;font-size:small" class="gmail_default">server pluto nts ca /var/lib/ntp/certs/</div><div style="font-family:arial,helvetica,sans-serif;font-size:small" class="gmail_default">------------------------------------------------<br></div><div style="font-family:arial,helvetica,sans-serif;font-size:small" class="gmail_default">Client "ptp" log:</div><div style="font-family:arial,helvetica,sans-serif;font-size:small" class="gmail_default">2020-05-07T16:31:11 ntpd[31511]: INIT: OpenSSL 1.0.2k-fips  26 Jan 2017, 100020bf<br>2020-05-07T16:31:11 ntpd[31511]: NTSc: Using system default root certificates.<br>2020-05-07T16:31:12 ntpd[31511]: DNS: dns_probe: pluto, cast_flags:1, flags:21801<br>2020-05-07T16:31:12 ntpd[31511]: NTSc: DNS lookup of pluto took 0.000 sec<br>2020-05-07T16:31:12 ntpd[31511]: NTSc: nts_probe connecting to pluto:123 => <a href="http://10.0.0.200:123">10.0.0.200:123</a><br>2020-05-07T16:31:12 ntpd[31511]: NTSc: Using dir /var/lib/ntp/certs/ for root certificates.<br>2020-05-07T16:31:12 ntpd[31511]: NTSc: SSL_connect failed<br>2020-05-07T16:31:12 ntpd[31511]: NTS: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed<br>2020-05-07T16:31:12 ntpd[31511]: NTSc: NTS-KE req to pluto took 0.013 sec, fail</div><div style="font-family:arial,helvetica,sans-serif;font-size:small" class="gmail_default">-----------------------------------------------<br></div><div style="font-family:arial,helvetica,sans-serif;font-size:small" class="gmail_default">On server:</div><div style="font-family:arial,helvetica,sans-serif;font-size:small" class="gmail_default">cat nts.crt | openssl verify<br>stdin: C = US, ST = DC, L = Washington, O = RE Schmidt, CN = pluto<br>error 18 at 0 depth lookup:self signed certificate<br>OK</div><div style="font-family:arial,helvetica,sans-serif;font-size:small" class="gmail_default">------------------------------------------------<br></div><div style="font-family:arial,helvetica,sans-serif;font-size:small" class="gmail_default">On client:</div><div style="font-family:arial,helvetica,sans-serif;font-size:small" class="gmail_default">cat nts.crt | openssl verify<br>stdin: C = US, ST = DC, L = Washington, O = RE Schmidt, CN = ptp<br>error 18 at 0 depth lookup:self signed certificate<br>OK</div><div style="font-family:arial,helvetica,sans-serif;font-size:small" class="gmail_default"><br></div><br>-- <br><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><span style="color:rgb(0,0,0)">“The ideal subject of totalitarian rule is not the
 convinced Nazi or the convinced communist, but people for whom the 
distinction between fact and fiction . . . and the distinction between 
true and false . . . no longer exist.” —Hanna Arendt, “The Origins of 
Totalitarianism” (1951)</span><span><span></span></span></div></div></div></div></div></div></div>