[Nfd-dev] How to start a certificate chain from scratch

Dehart, John jdd at wustl.edu
Mon Mar 2 07:31:48 PST 2015


Shou,

You have to be careful to get all the names correct from command to command.
Here is what we currently do on the Testbed for NLSR.

Note that we generate a set of keys and certs specifically for NLSR, separate from
the other Testbed certs.

On ucla Node we generate a root cert for NLSR:
ucla> sudo su - nlsr -c 'export HOME=/var/lib/ndn/nlsr/; ndnsec-key-gen -n /ndn'
ucla> sudo su - nlsr -c 'export HOME=/var/lib/ndn/nlsr/; ndnsec-sign-req /ndn > /etc/ndn/nlsr/keys/root.cert'

On the WU node we generate a key:
wu> sudo su - nlsr -c 'export HOME=/var/lib/ndn/nlsr/; ndnsec-key-gen -n /ndn/edu/wustl > ~nlsr/unsigned_site.cert'

We sign that key with the root cert on UCLA:
ucla> sudo su - nlsr -c 'export HOME=/var/lib/ndn/nlsr/; ndnsec-cert-gen -S 201410080000 -E 201510080000 -N "WU" -s /ndn -p /ndn/edu/wustl -r /home/nlsr/wu_unsigned_site.cert > /home/nlsr/wu_site.cert'

We copy the root cert and the signed wu cert back to WU node into /etc/ndn/nlsr/keys/root.cert and /etc/ndn/nlsr/keys/site.cert . Then continue …

Generate a key for WU operator, ndnops:
wu> sudo su - nlsr -c 'export HOME=/var/lib/ndn/nlsr/; ndnsec-key-gen -n /ndn/edu/wustl/%C1.Operator/ndnops > ~nlsr/unsigned_operator.cert’

Sign operator key with site cert named /ndn/edu/wustl
wu> sudo su - nlsr -c 'export HOME=/var/lib/ndn/nlsr/; ndnsec-cert-gen -S 201410080000 -E 201510080000 -N "WU Operator" -s /ndn/edu/wustl -p /ndn/edu/wustl/%C1.Operator/ndnops -r ~nlsr/unsigned_operator.cert > /etc/ndn/nlsr/keys/operator.cert’

Generate a router key for WU:
wu> sudo su - nlsr -c 'export HOME=/var/lib/ndn/nlsr/; ndnsec-key-gen -n /ndn/edu/wustl/%C1.Router/wundngw > ~nlsr/unsigned_router.cert’

Sign router key with operator cert named /ndn/edu/wustl/%C1.Operator/ndnops
wu> sudo su - nlsr -c 'export HOME=/var/lib/ndn/nlsr/; ndnsec-cert-gen -S 201410080000 -E 201510080000 -N "WU Router wundngw" -s /ndn/edu/wustl/%C1.Operator/ndnops -p /ndn/edu/wustl/%C1.Router/wundngw -r ~nlsr/unsigned_router.cert > /etc/ndn/nlsr/keys/router.cert'


So, in the end, on each node we end up with four cert files in /etc/ndn/nlsr/keys:
root.cert
site.cert
operator.cert
router.cert

Hope this helps.

John


On Mar 2, 2015, at 6:28 AM, Shuo Chen <chenatu2006 at gmail.com<mailto:chenatu2006 at gmail.com>> wrote:

Hi Yingdi,

My question is that how to sign a cert with the root cert generated by another host.

Here is my security model

root---------site1----------router1
   |-----------site2----------router2

I installed certificates of root, site1 and router1 in host1.
used ndnsec cert-dump to dump certificate of root in a file.
The I transferred this certificate file into another machine and used ndnsec cert-install to install the certificate.
All above works well.
Then
$ ndnsec-certgen -N /root/site2 -s /root site2-cert.req | ndnsec-cert-install -

It shows “ERROR: private key doesn't exists”

-----
Shuo Chen

On Thu, Nov 20, 2014 at 2:23 AM, Yingdi Yu <yingdi at cs.ucla.edu<mailto:yingdi at cs.ucla.edu>> wrote:

On Nov 19, 2014, at 10:13 AM, Junxiao Shi <shijunxiao at email.arizona.edu<mailto:shijunxiao at email.arizona.edu>> wrote:

Dear folks

While we are able to request testbed certificates from ndncert website, when doing experiments, it's undesirable to request testbed certificates for all nodes.
Suppose someone wants to start a certificate chain from scratch, how could this be done?

Just to clarify, the scenario you describe is a trust model for the ndncert only. For apps that just want to use simple trust model, it is not necessary to create so many keys.


Specifically, what are the commands to:

  1.  generate a root certificate: /example/KEY/ksk-1/ID-CERT
  2.  generate a site certificate and sign it by root certificate: /example/KEY/site1/ksk-2/ID-CERT
  3.  generate a user certificate and sign it by site certificate: /example/site1/KEY/user1/ksk-3/ID-CERT
  4.  publish root, site, user certificate in a repository or ndns system
  5.  generate a data signing certificate and sign it by user certificate: /example/site1/user1/KEY/dsk-4/ID-CERT

Another question is: why is testbed root certificate named /ndn/KEY/ksk-xxxx/ID-CERT, instead of /KEY/ndn/ksk-xxxx/ID-CERT

Because the root of the testbed is "/ndn" rather than "/", and testbed publish its root cert under its own prefix.

Yingdi


_______________________________________________
Nfd-dev mailing list
Nfd-dev at lists.cs.ucla.edu<mailto:Nfd-dev at lists.cs.ucla.edu>
http://www.lists.cs.ucla.edu/mailman/listinfo/nfd-dev


_______________________________________________
Nfd-dev mailing list
Nfd-dev at lists.cs.ucla.edu<mailto:Nfd-dev at lists.cs.ucla.edu>
http://www.lists.cs.ucla.edu/mailman/listinfo/nfd-dev

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.lists.cs.ucla.edu/pipermail/nfd-dev/attachments/20150302/682a57fd/attachment.html>


More information about the Nfd-dev mailing list