[Nfd-dev] Moving certs around

Burke, Jeff jburke at remap.UCLA.EDU
Sun Sep 11 19:13:59 PDT 2016 

Hi Junxiao,

Thanks for the quick reply.  Yes, I prefer not to copy them but am having the issues with autopropagation of a subprefix mentioned in my other recent email, and also occasionally need to move certs around to debug things.

Also, thanks for the explanation of ndnsec and reminder about the ndnsec-* way of invoking them.      I realize that I have been using ndnsec rather than ndnsec-* so the command-line options weren’t obviously available.  (Added a low-priority issue #3777<https://redmine.named-data.net/issues/3777> about this.)  I’ll look there first or in the docs, next time.

Best,
Jeff

From: Junxiao Shi <shijunxiao at email.arizona.edu>
Date: Sunday, September 11, 2016 at 6:06 PM
To: Jeff Burke <jburke at remap.ucla.edu>
Cc: "nfd-dev at lists.cs.ucla.edu" <nfd-dev at lists.cs.ucla.edu>
Subject: Re: [Nfd-dev] Moving certs around

Hi Jeff

It's not recommended to copy private keys across machines. The best practice is to request a different certificate for each machine.

With that being said, ndnsec-export can write a key pair (certificate and private key) into a file protected by a password. This file can then be copied to another machine, and installed via ndnsec-import command. These commands must be called with "-p" option (to include private key); they are useless otherwise (returns an error).
An example of using these commands is in https://yoursunny.com/t/2016/nfd-prefix/ "where's the key chain" section. "sudo HOME=/var/lib/ndn/nfd -u ndn" portion is used to select PPA NFD's key chain, and you should omit this part if you are dealing with user's key chain.

Yours, Junxiao

On Sun, Sep 11, 2016 at 12:50 PM, Burke, Jeff <jburke at remap.ucla.edu<mailto:jburke at remap.ucla.edu>> wrote:
Hi folks,

Are there any instructions around on the best/easiest way to move or copy NDN certs (including the private key) from system to system, especially from MacOS to/from tpm-based stores?  (I have a sort of painful method worked out, but was hoping for something easier.)

Thanks,
Jeff
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.lists.cs.ucla.edu/pipermail/nfd-dev/attachments/20160912/94b24e3e/attachment.html>

More information about the Nfd-dev mailing list