<div dir="ltr">Hi Jiewen<div><br></div><div>The procedure your provided seems to be generating a new site1 key.</div><div>It is possible to use an existing key pair as site1 key?</div><div>It's okay to re-sign this existing key with root zone's DSK instead of KSK.</div><div><br></div><div>Yours, Junxiao<br><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Mar 11, 2015 at 12:48 PM, Jiewen Tan <span dir="ltr"><<a href="mailto:alanwake@ucla.edu" target="_blank">alanwake@ucla.edu</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div lang="EN-US" link="blue" vlink="purple"><div><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Hi Junxiao,<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Assuming the root key and root certificate are already presented in the system(PIB),<u></u><u></u></span></p><p><u></u><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><span>1)<span style="font:7.0pt "Times New Roman"">      </span></span></span><u></u><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Create root zone: /example<u></u><u></u></span></p><p style="margin-left:1.0in"><u></u><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><span>a.<span style="font:7.0pt "Times New Roman"">       </span></span></span><u></u><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">ndns-create-zone  /example -k /example/KEY/ksk-1/ID-CERT<u></u><u></u></span></p><p class="MsoNormal" style="margin-left:1.0in"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Here is to create a zone named /example using a KSK store in the PIB. It will also generate a DSK signed by the KSK provided automatically and insert the DSK to NDNS database (publish). All other options are set to default.<u></u><u></u></span></p><p><u></u><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><span>2)<span style="font:7.0pt "Times New Roman"">      </span></span></span><u></u><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Publish root certificate: /example/KEY/ksk-1/ID-CERT<u></u><u></u></span></p><p style="margin-left:1.0in"><u></u><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><span>a.<span style="font:7.0pt "Times New Roman"">       </span></span></span><u></u><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">ndns-export-certificate /example/KEY/ksk-1/ID-CERT<u></u><u></u></span></p><p style="margin-left:1.0in"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Here is to export the root certificate to stdout. It can be exported to a file by using -f option as well.<u></u><u></u></span></p><p style="margin-left:1.0in"><u></u><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><span>b.<span style="font:7.0pt "Times New Roman"">      </span></span></span><u></u><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">ndns-add-rr-from-file /example<u></u><u></u></span></p><p class="MsoNormal" style="margin-left:1.0in"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Here is to insert the root certificate into NDNS database (publish under zone /example). Default is to use stdin as input. So you can just copy&paste the output from 2.a. It will terminate with Ctrl+D.<u></u><u></u></span></p><p><u></u><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><span>3)<span style="font:7.0pt "Times New Roman"">      </span></span></span><u></u><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Create site1 zone: /example/site1<u></u><u></u></span></p><p style="margin-left:1.0in"><u></u><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><span>a.<span style="font:7.0pt "Times New Roman"">       </span></span></span><u></u><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">ndns-create-zone  /example/site1<u></u><u></u></span></p><p class="MsoNormal" style="margin-left:1.0in"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Here, the tool will automatically generate a self-signed KSK and a corresponding DSK. Moreover, the DSK will be published automatically.<u></u><u></u></span></p><p><u></u><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><span>4)<span style="font:7.0pt "Times New Roman"">      </span></span></span><u></u><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Delegate site1 zone from root zone<u></u><u></u></span></p><p style="margin-left:1.0in"><u></u><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><span>a.<span style="font:7.0pt "Times New Roman"">       </span></span></span><u></u><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">ndns-add-rr -t resp /example /site1 NS<u></u><u></u></span></p><p style="margin-left:1.0in"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Here is to add a rrset into zone: /example which has label: /site1 and type: /NS. Specifically, the content-type of the rrset is set to resp which indicate the existence of zone /example/site1. Now the delegation is completed. However, if the site zone is a leaf zone, a TXT type rrset is preferred.<u></u><u></u></span></p><p><u></u><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><span>5)<span style="font:7.0pt "Times New Roman"">      </span></span></span><u></u><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> Publish site1 certificate: /example/KEY/site1/ksk-2/ID-CERT  (Site1’s KSK needs to be published in its parent zone, i.e. root zone.)<u></u><u></u></span></p><p style="margin-left:1.0in"><u></u><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><span>a.<span style="font:7.0pt "Times New Roman"">       </span></span></span><u></u><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">ndns-export-certificate /example/KEY/site1/ksk-2/ID-CERT -f site1.cert<u></u><u></u></span></p><p style="margin-left:1.0in"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Export the certificate from site1 zone.<u></u><u></u></span></p><p style="margin-left:1.0in"><u></u><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><span>b.<span style="font:7.0pt "Times New Roman"">      </span></span></span><u></u><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Pass the certificate to the parent zone, i.e. root zone here. (Use whatever methods you prefer)<u></u><u></u></span></p><p style="margin-left:1.0in"><u></u><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><span>c.<span style="font:7.0pt "Times New Roman"">       </span></span></span><u></u><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">ndns-add-rr-from-file /example -f site1.cert<u></u><u></u></span></p><p style="margin-left:1.0in"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Here the tool will resign the certificate with the zone’s DSK such that an authentication chain can be established. After that, it will publish the certificate in the NDNS database with label set to /site1/ksk-2 and type set to ID-CERT.<u></u><u></u></span></p><p><u></u><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><span>6)<span style="font:7.0pt "Times New Roman"">      </span></span></span><u></u><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Publish user1 certificate: /example/site1/KEY/user1/ksk-3/ID-CERT (Assuming it is stored as user1.cert)<u></u><u></u></span></p><p style="margin-left:1.0in"><u></u><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><span>a.<span style="font:7.0pt "Times New Roman"">       </span></span></span><u></u><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">ndns-add-rr-from-file /example/site1 -f user1.cert<u></u><u></u></span></p><p style="margin-left:1.0in"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Noticed again, this operation needs to be done in the parent zone, i.e. /example/site1.<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">In NDNS, publishing a certificate is essentially meaning to insert the certificate into NDNS database as an ID-CERT rrset. Therefore, I use these two terms interchangeably here.<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Thank you for asking this question. I will try to make the answer as complete as possible and post this answer on the ndns-tr as appendix.<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">BTW, Xiaoke please make any supplement to my explanation if necessary.<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Regards,<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Jiewen Tan<u></u><u></u></span></p><p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> Junxiao Shi [mailto:<a href="mailto:shijunxiao@email.arizona.edu" target="_blank">shijunxiao@email.arizona.edu</a>] <br><b>Sent:</b> Wednesday, March 11, 2015 11:56 AM<br><b>To:</b> <<a href="mailto:nfd-dev@lists.cs.ucla.edu" target="_blank">nfd-dev@lists.cs.ucla.edu</a>><br><b>Cc:</b> Xiaoke Jiang; Jiewen Tan<br><b>Subject:</b> Re: [Nfd-dev] How to start a certificate chain from scratch<u></u><u></u></span></p><div><div class="h5"><p class="MsoNormal"><u></u> <u></u></p><div><div><p class="MsoNormal"><span style="font-size:9.5pt">Hi Xiaoke/Jiewen</span><u></u><u></u></p></div><div><p class="MsoNormal"><span style="font-size:9.5pt">(correcting a typo below)</span><u></u><u></u></p><div><p class="MsoNormal"><span style="font-size:9.5pt"><u></u> <u></u></span></p></div><div><p class="MsoNormal"><span style="font-size:9.5pt">Thanks for your examples. However, I need to start from scratch. Suppose:<u></u><u></u></span></p></div><div><p class="MsoNormal" style="margin-left:47.25pt"><u></u><span style="font-size:10.0pt;font-family:Symbol"><span>·<span style="font:7.0pt "Times New Roman"">  </span></span></span><u></u><span style="font-size:9.5pt">root/site/user certificates are created according to <a href="http://www.lists.cs.ucla.edu/pipermail/nfd-dev/2014-November/000616.html" target="_blank">http://www.lists.cs.ucla.edu/pipermail/nfd-dev/2014-November/000616.html</a><u></u><u></u></span></p><p class="MsoNormal" style="margin-left:47.25pt"><u></u><span style="font-size:10.0pt;font-family:Symbol"><span>·<span style="font:7.0pt "Times New Roman"">  </span></span></span><u></u><span style="font-size:9.5pt">Two machines have NDNS package installed. One is to host root zone, the other is to host site1 zone.<u></u><u></u></span></p></div><div><p class="MsoNormal"><span style="font-size:9.5pt">I need the commands to:<u></u><u></u></span></p></div><div><p class="MsoNormal" style="margin-left:47.25pt"><u></u><span style="font-size:10.0pt;font-family:Symbol"><span>·<span style="font:7.0pt "Times New Roman"">  </span></span></span><u></u><span style="font-size:9.5pt">create root zone: /example<u></u><u></u></span></p><p class="MsoNormal" style="margin-left:47.25pt"><u></u><span style="font-size:10.0pt;font-family:Symbol"><span>·<span style="font:7.0pt "Times New Roman"">  </span></span></span><u></u><span style="font-size:9.5pt">publish root certificate: /example/KEY/ksk-1/ID-CERT<u></u><u></u></span></p><p class="MsoNormal" style="margin-left:47.25pt"><u></u><span style="font-size:10.0pt;font-family:Symbol"><span>·<span style="font:7.0pt "Times New Roman"">  </span></span></span><u></u><span style="font-size:9.5pt">create site1 zone: /example/site1<u></u><u></u></span></p><p class="MsoNormal" style="margin-left:47.25pt"><u></u><span style="font-size:10.0pt;font-family:Symbol"><span>·<span style="font:7.0pt "Times New Roman"">  </span></span></span><u></u><span style="font-size:9.5pt">delegate site1 zone from root zone<u></u><u></u></span></p><p class="MsoNormal" style="margin-left:47.25pt"><u></u><span style="font-size:10.0pt;font-family:Symbol"><span>·<span style="font:7.0pt "Times New Roman"">  </span></span></span><u></u><span style="font-size:9.5pt">publish site1 certificate: /example/KEY/site1/ksk-2/ID-CERT (should this be published at root zone or site1 zone?)<u></u><u></u></span></p><p class="MsoNormal" style="margin-left:47.25pt"><u></u><span style="font-size:10.0pt;font-family:Symbol"><span>·<span style="font:7.0pt "Times New Roman"">  </span></span></span><u></u><span style="font-size:9.5pt">publish user1 certificate: /example/site1/KEY/user1/ksk-3/ID-CERT<u></u><u></u></span></p></div><div><p class="MsoNormal"><span style="font-size:9.5pt"><u></u> <u></u></span></p></div><div><p class="MsoNormal" style="margin-bottom:12.0pt"><span style="font-size:9.5pt">Yours, Junxiao<u></u><u></u></span></p><div><p class="MsoNormal"><span style="font-size:9.5pt">On Wed, Mar 11, 2015 at 11:39 AM, Xiaoke Jiang <<a href="mailto:shock.jiang@gmail.com" target="_blank">shock.jiang@gmail.com</a>> wrote:<u></u><u></u></span></p><div><p class="MsoNormal"><span style="font-size:9.5pt">Hi Junxiao,<u></u><u></u></span></p><div><p class="MsoNormal"><span style="font-size:9.5pt">There are two ways to insert a certificate into NDNS, one is to embed it in update message and deliver it to name server, and the other is calling management tool to modify the local database directly.<u></u><u></u></span></p></div><div><p class="MsoNormal"><span style="font-size:9.5pt">I present an example to show the two ways, assume the certificate is named /ndn/edu/ucla/KEY/bob/dsk-1420913151451/ID-CERT/%FD%00%00%01J%D5%06%0F%C8, and stored in the local file <a href="http://ndn.edu/" target="_blank">ndn.edu</a>.ucla.bob.cert<u></u><u></u></span></p></div><div><p class="MsoNormal"><span style="font-size:9.5pt">1) sending update message locally or remotely: ndns-update -f <a href="http://ndn.edu/" target="_blank">ndn.edu</a>.ucla.bob.cert<u></u><u></u></span></p><div><p class="MsoNormal"><span style="font-size:9.5pt">2) calling management tool locally: ndns-add-rr-from-file /ndn/edu/ucla -f ndn.edu.ucla.bob.cert<u></u><u></u></span></p></div><div><p class="MsoNormal"><span style="font-size:9.5pt"><u></u> <u></u></span></p></div><div><p class="MsoNormal"><span style="font-size:9.5pt">And the management tools that remove it is: ndns-remove-rr /ndn/edu/ucla /bob/dsk-1420913151451 ID-CERT.<u></u><u></u></span></p></div><div><p class="MsoNormal"><span style="font-size:9.5pt">As to remove it remotely, authorized party should send a update message embedding a NDNS-NACK with the same name prefix but greater version number.<u></u><u></u></span></p></div><div><p class="MsoNormal"><span style="font-size:9.5pt"><u></u> <u></u></span></p></div><div><p class="MsoNormal"><span style="font-size:9.5pt">Note that  the certificates issued by NDN Testbed is automatically stored in the NDNS instance hosted on the testbed.<u></u><u></u></span></p></div><div><p class="MsoNormal"><span style="font-size:9.5pt"><u></u> <u></u></span></p><div><p class="MsoNormal"><span style="font-size:9.5pt">Xiaoke (Shock)<u></u><u></u></span></p></div></div></div></div></div></div></div></div></div></div></div></div></blockquote></div><br></div></div></div>