[Nfd-dev] How to start a certificate chain from scratch

Jiewen Tan alanwake at ucla.edu
Wed Mar 11 12:48:00 PDT 2015 

Hi Junxiao,

 

Assuming the root key and root certificate are already presented in the system(PIB),

1)      Create root zone: /example

a.       ndns-create-zone  /example -k /example/KEY/ksk-1/ID-CERT

Here is to create a zone named /example using a KSK store in the PIB. It will also generate a DSK signed by the KSK provided automatically and insert the DSK to NDNS database (publish). All other options are set to default.

2)      Publish root certificate: /example/KEY/ksk-1/ID-CERT

a.       ndns-export-certificate /example/KEY/ksk-1/ID-CERT

Here is to export the root certificate to stdout. It can be exported to a file by using -f option as well.

b.      ndns-add-rr-from-file /example

Here is to insert the root certificate into NDNS database (publish under zone /example). Default is to use stdin as input. So you can just copy&paste the output from 2.a. It will terminate with Ctrl+D.

3)      Create site1 zone: /example/site1

a.       ndns-create-zone  /example/site1

Here, the tool will automatically generate a self-signed KSK and a corresponding DSK. Moreover, the DSK will be published automatically.

4)      Delegate site1 zone from root zone

a.       ndns-add-rr -t resp /example /site1 NS

Here is to add a rrset into zone: /example which has label: /site1 and type: /NS. Specifically, the content-type of the rrset is set to resp which indicate the existence of zone /example/site1. Now the delegation is completed. However, if the site zone is a leaf zone, a TXT type rrset is preferred.

5)       Publish site1 certificate: /example/KEY/site1/ksk-2/ID-CERT  (Site1’s KSK needs to be published in its parent zone, i.e. root zone.)

a.       ndns-export-certificate /example/KEY/site1/ksk-2/ID-CERT -f site1.cert

Export the certificate from site1 zone.

b.      Pass the certificate to the parent zone, i.e. root zone here. (Use whatever methods you prefer)

c.       ndns-add-rr-from-file /example -f site1.cert

Here the tool will resign the certificate with the zone’s DSK such that an authentication chain can be established. After that, it will publish the certificate in the NDNS database with label set to /site1/ksk-2 and type set to ID-CERT.

6)      Publish user1 certificate: /example/site1/KEY/user1/ksk-3/ID-CERT (Assuming it is stored as user1.cert)

a.       ndns-add-rr-from-file /example/site1 -f user1.cert

Noticed again, this operation needs to be done in the parent zone, i.e. /example/site1.

 

In NDNS, publishing a certificate is essentially meaning to insert the certificate into NDNS database as an ID-CERT rrset. Therefore, I use these two terms interchangeably here.

 

Thank you for asking this question. I will try to make the answer as complete as possible and post this answer on the ndns-tr as appendix.

 

BTW, Xiaoke please make any supplement to my explanation if necessary.

 

Regards,

Jiewen Tan

From: Junxiao Shi [mailto:shijunxiao at email.arizona.edu] 
Sent: Wednesday, March 11, 2015 11:56 AM
To: <nfd-dev at lists.cs.ucla.edu>
Cc: Xiaoke Jiang; Jiewen Tan
Subject: Re: [Nfd-dev] How to start a certificate chain from scratch

 

Hi Xiaoke/Jiewen

(correcting a typo below)

 

Thanks for your examples. However, I need to start from scratch. Suppose:

·  root/site/user certificates are created according to http://www.lists.cs.ucla.edu/pipermail/nfd-dev/2014-November/000616.html

·  Two machines have NDNS package installed. One is to host root zone, the other is to host site1 zone.

I need the commands to:

·  create root zone: /example

·  publish root certificate: /example/KEY/ksk-1/ID-CERT

·  create site1 zone: /example/site1

·  delegate site1 zone from root zone

·  publish site1 certificate: /example/KEY/site1/ksk-2/ID-CERT (should this be published at root zone or site1 zone?)

·  publish user1 certificate: /example/site1/KEY/user1/ksk-3/ID-CERT

 

Yours, Junxiao

On Wed, Mar 11, 2015 at 11:39 AM, Xiaoke Jiang <shock.jiang at gmail.com> wrote:

Hi Junxiao,

There are two ways to insert a certificate into NDNS, one is to embed it in update message and deliver it to name server, and the other is calling management tool to modify the local database directly.

I present an example to show the two ways, assume the certificate is named /ndn/edu/ucla/KEY/bob/dsk-1420913151451/ID-CERT/%FD%00%00%01J%D5%06%0F%C8, and stored in the local file ndn.edu <http://ndn.edu/> .ucla.bob.cert

1) sending update message locally or remotely: ndns-update -f ndn.edu <http://ndn.edu/> .ucla.bob.cert

2) calling management tool locally: ndns-add-rr-from-file /ndn/edu/ucla -f ndn.edu.ucla.bob.cert

 

And the management tools that remove it is: ndns-remove-rr /ndn/edu/ucla /bob/dsk-1420913151451 ID-CERT.

As to remove it remotely, authorized party should send a update message embedding a NDNS-NACK with the same name prefix but greater version number.

 

Note that  the certificates issued by NDN Testbed is automatically stored in the NDNS instance hosted on the testbed.

 

Xiaoke (Shock)

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.lists.cs.ucla.edu/pipermail/nfd-dev/attachments/20150311/3f4e2626/attachment.html>

More information about the Nfd-dev mailing list