[Nfd-dev] How to start a certificate chain from scratch

Junxiao Shi shijunxiao at email.arizona.edu
Wed Mar 11 13:18:39 PDT 2015


Hi Jiewen

The procedure your provided seems to be generating a new site1 key.
It is possible to use an existing key pair as site1 key?
It's okay to re-sign this existing key with root zone's DSK instead of KSK.

Yours, Junxiao

On Wed, Mar 11, 2015 at 12:48 PM, Jiewen Tan <alanwake at ucla.edu> wrote:

> Hi Junxiao,
>
>
>
> Assuming the root key and root certificate are already presented in the
> system(PIB),
>
> 1)      Create root zone: /example
>
> a.       ndns-create-zone  /example -k /example/KEY/ksk-1/ID-CERT
>
> Here is to create a zone named /example using a KSK store in the PIB. It
> will also generate a DSK signed by the KSK provided automatically and
> insert the DSK to NDNS database (publish). All other options are set to
> default.
>
> 2)      Publish root certificate: /example/KEY/ksk-1/ID-CERT
>
> a.       ndns-export-certificate /example/KEY/ksk-1/ID-CERT
>
> Here is to export the root certificate to stdout. It can be exported to a
> file by using -f option as well.
>
> b.      ndns-add-rr-from-file /example
>
> Here is to insert the root certificate into NDNS database (publish under
> zone /example). Default is to use stdin as input. So you can just
> copy&paste the output from 2.a. It will terminate with Ctrl+D.
>
> 3)      Create site1 zone: /example/site1
>
> a.       ndns-create-zone  /example/site1
>
> Here, the tool will automatically generate a self-signed KSK and a
> corresponding DSK. Moreover, the DSK will be published automatically.
>
> 4)      Delegate site1 zone from root zone
>
> a.       ndns-add-rr -t resp /example /site1 NS
>
> Here is to add a rrset into zone: /example which has label: /site1 and
> type: /NS. Specifically, the content-type of the rrset is set to resp which
> indicate the existence of zone /example/site1. Now the delegation is
> completed. However, if the site zone is a leaf zone, a TXT type rrset is
> preferred.
>
> 5)       Publish site1 certificate: /example/KEY/site1/ksk-2/ID-CERT
>  (Site1’s KSK needs to be published in its parent zone, i.e. root zone.)
>
> a.       ndns-export-certificate /example/KEY/site1/ksk-2/ID-CERT -f
> site1.cert
>
> Export the certificate from site1 zone.
>
> b.      Pass the certificate to the parent zone, i.e. root zone here.
> (Use whatever methods you prefer)
>
> c.       ndns-add-rr-from-file /example -f site1.cert
>
> Here the tool will resign the certificate with the zone’s DSK such that an
> authentication chain can be established. After that, it will publish the
> certificate in the NDNS database with label set to /site1/ksk-2 and type
> set to ID-CERT.
>
> 6)      Publish user1 certificate: /example/site1/KEY/user1/ksk-3/ID-CERT
> (Assuming it is stored as user1.cert)
>
> a.       ndns-add-rr-from-file /example/site1 -f user1.cert
>
> Noticed again, this operation needs to be done in the parent zone, i.e.
> /example/site1.
>
>
>
> In NDNS, publishing a certificate is essentially meaning to insert the
> certificate into NDNS database as an ID-CERT rrset. Therefore, I use these
> two terms interchangeably here.
>
>
>
> Thank you for asking this question. I will try to make the answer as
> complete as possible and post this answer on the ndns-tr as appendix.
>
>
>
> BTW, Xiaoke please make any supplement to my explanation if necessary.
>
>
>
> Regards,
>
> Jiewen Tan
>
> *From:* Junxiao Shi [mailto:shijunxiao at email.arizona.edu]
> *Sent:* Wednesday, March 11, 2015 11:56 AM
> *To:* <nfd-dev at lists.cs.ucla.edu>
> *Cc:* Xiaoke Jiang; Jiewen Tan
> *Subject:* Re: [Nfd-dev] How to start a certificate chain from scratch
>
>
>
> Hi Xiaoke/Jiewen
>
> (correcting a typo below)
>
>
>
> Thanks for your examples. However, I need to start from scratch. Suppose:
>
> ·  root/site/user certificates are created according to
> http://www.lists.cs.ucla.edu/pipermail/nfd-dev/2014-November/000616.html
>
> ·  Two machines have NDNS package installed. One is to host root zone,
> the other is to host site1 zone.
>
> I need the commands to:
>
> ·  create root zone: /example
>
> ·  publish root certificate: /example/KEY/ksk-1/ID-CERT
>
> ·  create site1 zone: /example/site1
>
> ·  delegate site1 zone from root zone
>
> ·  publish site1 certificate: /example/KEY/site1/ksk-2/ID-CERT (should
> this be published at root zone or site1 zone?)
>
> ·  publish user1 certificate: /example/site1/KEY/user1/ksk-3/ID-CERT
>
>
>
> Yours, Junxiao
>
> On Wed, Mar 11, 2015 at 11:39 AM, Xiaoke Jiang <shock.jiang at gmail.com
> > wrote:
>
> Hi Junxiao,
>
> There are two ways to insert a certificate into NDNS, one is to embed it
> in update message and deliver it to name server, and the other is calling
> management tool to modify the local database directly.
>
> I present an example to show the two ways, assume the certificate is named
> /ndn/edu/ucla/KEY/bob/dsk-1420913151451/ID-CERT/%FD%00%00%01J%D5%06%0F%C8,
> and stored in the local file ndn.edu.ucla.bob.cert
>
> 1) sending update message locally or remotely: ndns-update -f ndn.edu
> .ucla.bob.cert
>
> 2) calling management tool locally: ndns-add-rr-from-file /ndn/edu/ucla -f
> ndn.edu.ucla.bob.cert
>
>
>
> And the management tools that remove it is: ndns-remove-rr /ndn/edu/ucla
> /bob/dsk-1420913151451 ID-CERT.
>
> As to remove it remotely, authorized party should send a update message
> embedding a NDNS-NACK with the same name prefix but greater version number.
>
>
>
> Note that  the certificates issued by NDN Testbed is automatically stored
> in the NDNS instance hosted on the testbed.
>
>
>
> Xiaoke (Shock)
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.lists.cs.ucla.edu/pipermail/nfd-dev/attachments/20150311/12e0dfdd/attachment.html>


More information about the Nfd-dev mailing list