[Nfd-dev] How to start a certificate chain from scratch

Shuo Chen chenatu2006 at gmail.com
Mon Mar 2 04:28:44 PST 2015 

Hi Yingdi,

My question is that how to sign a cert with the root cert generated by
another host.

Here is my security model

root---------site1----------router1
   |-----------site2----------router2

I installed certificates of root, site1 and router1 in host1.
used ndnsec cert-dump to dump certificate of root in a file.
The I transferred this certificate file into another machine and used
ndnsec cert-install to install the certificate.
All above works well.
Then
$ ndnsec-certgen -N /root/site2 -s /root site2-cert.req |
ndnsec-cert-install -

It shows “ERROR: private key doesn't exists”

-----
Shuo Chen

On Thu, Nov 20, 2014 at 2:23 AM, Yingdi Yu <yingdi at cs.ucla.edu> wrote:

>
> On Nov 19, 2014, at 10:13 AM, Junxiao Shi <shijunxiao at email.arizona.edu>
> wrote:
>
> Dear folks
>
> While we are able to request testbed certificates from ndncert website,
> when doing experiments, it's undesirable to request testbed certificates
> for all nodes.
> Suppose someone wants to start a certificate chain from scratch, how could
> this be done?
>
>
> Just to clarify, the scenario you describe is a trust model for the
> ndncert only. For apps that just want to use simple trust model, it is not
> necessary to create so many keys.
>
>
> Specifically, what are the commands to:
>
>    1. generate a root certificate: /example/KEY/ksk-1/ID-CERT
>    2. generate a site certificate and sign it by root certificate:
>    /example/KEY/site1/ksk-2/ID-CERT
>    3. generate a user certificate and sign it by site certificate:
>    /example/site1/KEY/user1/ksk-3/ID-CERT
>    4. publish root, site, user certificate in a repository or ndns system
>    5. generate a data signing certificate and sign it by user
>    certificate: /example/site1/user1/KEY/dsk-4/ID-CERT
>
>
> Another question is: why is testbed root certificate named
> /ndn/KEY/ksk-xxxx/ID-CERT, instead of /KEY/ndn/ksk-xxxx/ID-CERT
>
>
> Because the root of the testbed is "/ndn" rather than "/", and testbed
> publish its root cert under its own prefix.
>
> Yingdi
>
>
> _______________________________________________
> Nfd-dev mailing list
> Nfd-dev at lists.cs.ucla.edu
> http://www.lists.cs.ucla.edu/mailman/listinfo/nfd-dev
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.lists.cs.ucla.edu/pipermail/nfd-dev/attachments/20150302/e1d0f47c/attachment.html>

More information about the Nfd-dev mailing list