[Nfd-dev] How to start a certificate chain from scratch

Yingdi Yu yingdi at CS.UCLA.EDU
Wed Nov 19 11:49:27 PST 2014


Hi Junxiao,

> On Nov 19, 2014, at 11:23 AM, Junxiao Shi <shijunxiao at email.arizona.edu> wrote:
> 
> Hi Yingdi
> 
> Suppose one wants to mirror the same trust model as testbed and ndncert website, how can he do that? What are the commands?
> 
I list the commands for the example below:
> >> Specifically, what are the commands to:
> 
> >> generate a root certificate: /example/KEY/ksk-1/ID-CERT
> 
$ ndnsec-keygen /example | ndnsec-cert-install -
> >> generate a site certificate and sign it by root certificate: /example/KEY/site1/ksk-2/ID-CERT
> 
$ ndnsec-keygen /example/site1 > site1-cert.req
$ ndnsec-certgen -N /example/site1 -s /example site1-cert.req | ndnsec-cert-install -
> >> generate a user certificate and sign it by site certificate: /example/site1/KEY/user1/ksk-3/ID-CERT
> 
$ ndnsec-keygen /example/site1/user1 > user1-cert.req
$ ndnsec-certgen -N /example/site1/user1 -s /example/site1 user1-cert.req | ndnsec-cert-install -
> >> publish root, site, user certificate in a repository or ndns system
> 
This depends on the tools. I usually write a simple cert publishing tool or use PIB to publish certificates
> >> generate a data signing certificate and sign it by user certificate: /example/site1/user1/KEY/dsk-4/ID-CERT
> 

For now, the command line tool disables dsk generation, but we could enable that if necessary. 


Yingdi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.lists.cs.ucla.edu/pipermail/nfd-dev/attachments/20141119/c438acca/attachment.html>


More information about the Nfd-dev mailing list