[Nfd-dev] How to start a certificate chain from scratch
Yingdi Yu
yingdi at CS.UCLA.EDU
Wed Nov 19 10:23:08 PST 2014
> On Nov 19, 2014, at 10:13 AM, Junxiao Shi <shijunxiao at email.arizona.edu> wrote:
>
> Dear folks
>
> While we are able to request testbed certificates from ndncert website, when doing experiments, it's undesirable to request testbed certificates for all nodes.
> Suppose someone wants to start a certificate chain from scratch, how could this be done?
Just to clarify, the scenario you describe is a trust model for the ndncert only. For apps that just want to use simple trust model, it is not necessary to create so many keys.
>
> Specifically, what are the commands to:
> generate a root certificate: /example/KEY/ksk-1/ID-CERT
> generate a site certificate and sign it by root certificate: /example/KEY/site1/ksk-2/ID-CERT
> generate a user certificate and sign it by site certificate: /example/site1/KEY/user1/ksk-3/ID-CERT
> publish root, site, user certificate in a repository or ndns system
> generate a data signing certificate and sign it by user certificate: /example/site1/user1/KEY/dsk-4/ID-CERT
>
> Another question is: why is testbed root certificate named /ndn/KEY/ksk-xxxx/ID-CERT, instead of /KEY/ndn/ksk-xxxx/ID-CERT
Because the root of the testbed is "/ndn" rather than "/", and testbed publish its root cert under its own prefix.
Yingdi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.lists.cs.ucla.edu/pipermail/nfd-dev/attachments/20141119/31224f67/attachment.html>
More information about the Nfd-dev
mailing list