[Nfd-dev] How to start a certificate chain from scratch

Junxiao Shi shijunxiao at email.ARIZONA.EDU
Mon Mar 2 15:51:22 PST 2015


Hi Shuo

If you have multiple machines, you'll need to copy the certificate request
between machines.

The example below assumes you have five machines:

   - root
   - site1
   - site2
   - router1
   - router2

To protect CA private keys, you could keep root, site1, site2 machines
offline, and use USB sticks to copy files to and from them.


root> ndnsec-keygen /root | tee root.ndncert | ndn-cert-install -

site1> ndnsec-keygen /root/site1 > site1.req
(copy site1.req to root machine)
root> ndnsec-certgen -N /root/site1 -s /root site1.req > site1.ndncert
(copy site1.ndncert to site1 machine)
site1> cat site1.ndncert | ndn-cert-install -

(similar for site2)

router1> ndnsec-keygen /root/site1/router1 > router1.req
(copy router1.req to site1 machine)
site1> ndnsec-certgen -N /root/site1/router1 -s /root/site1 router1.req >
router1.ndncert
(copy router1.ndncert to router1 machine)
router1> cat router1.ndncert | ndn-cert-install -

(similar for router2)

(copy *.ndncert to some connected machine on the network, and publish them
from repo-ng or ndns)


Yours, Junxiao

On Mon, Mar 2, 2015 at 5:28 AM, Shuo Chen <chenatu2006 at gmail.com> wrote:

> Hi Yingdi,
>
> My question is that how to sign a cert with the root cert generated by
> another host.
>
> Here is my security model
>
> root---------site1----------router1
>    |-----------site2----------router2
>
> I installed certificates of root, site1 and router1 in host1.
> used ndnsec cert-dump to dump certificate of root in a file.
> The I transferred this certificate file into another machine and used
> ndnsec cert-install to install the certificate.
> All above works well.
> Then
> $ ndnsec-certgen -N /root/site2 -s /root site2-cert.req |
> ndnsec-cert-install -
>
> It shows “ERROR: private key doesn't exists”
>
> -----
> Shuo Chen
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.lists.cs.ucla.edu/pipermail/nfd-dev/attachments/20150302/5862035c/attachment.html>


More information about the Nfd-dev mailing list