[Nfd-dev] How to start a certificate chain from scratch
Junxiao Shi
shijunxiao at email.arizona.edu
Mon Mar 2 15:37:56 PST 2015
Dear folks
I found the repo-ng solution from ndncert website source code:
https://github.com/named-data/ndncert/blob/1e4ff1dad1ae4aabbd29b124ba83d9ce4ff7111d/ndnop-process-requests#L181
To publish a key:
1. repo-ng service must be running; in repo-ng.conf, repo.data.prefix
must cover the certificate's Name
2. tee the input to ndnsec-cert-install into a file
3. base64 decode the certificate file and send the binary into localhost
tcp/7376 port
Example commands to create and publish root and site certificates:
ndnsec-keygen /example | tee example.ndncert | ndnsec-cert-install -
base64 -d example.ndncert | nc localhost 7376
ndnsec-keygen /example/site1 > site1.req
ndnsec-certgen -N /example/site1 -s /example site1.req | tee site1.ndncert
| ndnsec-cert-install -
base64 -d site1.ndncert | nc localhost 7376
tcp/7376 is the "tcp bulk insert" service of repo-ng, which seems to treat
anything from the socket as a Data packet and store it.
I still want to hear about how ndns could be used to publish those
certificates.
Xiaoke can you answer?
Yours, Junxiao
On Mon, Feb 23, 2015 at 10:46 PM, Junxiao Shi <shijunxiao at email.arizona.edu>
wrote:
> Dear folks
>
> The only missing piece is: publish root, site, user certificate in a
> repository or ndns system.
> Does anyone know how to publish a certificate with repo-ng and ndns? I
> want to try both.
>
> Yours, Junxiao
>
> On Wed, Nov 19, 2014 at 12:49 PM, Yingdi Yu <yingdi at cs.ucla.edu> wrote:
>
>> Hi Junxiao,
>>
>> On Nov 19, 2014, at 11:23 AM, Junxiao Shi <shijunxiao at email.arizona.edu>
>> wrote:
>>
>> Hi Yingdi
>>
>> Suppose one wants to mirror the same trust model as testbed and ndncert
>> website, how can he do that? What are the commands?
>>
>> I list the commands for the example below:
>>
>> >> Specifically, what are the commands to:
>>
>> >> generate a root certificate: /example/KEY/ksk-1/ID-CERT
>>
>> $ ndnsec-keygen /example | ndnsec-cert-install -
>>
>> >> generate a site certificate and sign it by root certificate:
>> /example/KEY/site1/ksk-2/ID-CERT
>>
>> $ ndnsec-keygen /example/site1 > site1-cert.req
>> $ ndnsec-certgen -N /example/site1 -s /example site1-cert.req |
>> ndnsec-cert-install -
>>
>> >> generate a user certificate and sign it by site certificate:
>> /example/site1/KEY/user1/ksk-3/ID-CERT
>>
>> $ ndnsec-keygen /example/site1/user1 > user1-cert.req
>> $ ndnsec-certgen -N /example/site1/user1 -s /example/site1 user1-cert.req
>> | ndnsec-cert-install -
>>
>> >> publish root, site, user certificate in a repository or ndns system
>>
>> This depends on the tools. I usually write a simple cert publishing tool
>> or use PIB to publish certificates
>>
>> >> generate a data signing certificate and sign it by user certificate:
>> /example/site1/user1/KEY/dsk-4/ID-CERT
>>
>> For now, the command line tool disables dsk generation, but we could
>> enable that if necessary.
>>
>>
>> Yingdi
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.lists.cs.ucla.edu/pipermail/nfd-dev/attachments/20150302/8a23bc11/attachment.html>
More information about the Nfd-dev
mailing list