Skip to content

NDNCERT CA Instructions

Jump to bottom
Zhiyi Zhang edited this page Nov 5, 2019 · 7 revisions

NDNCERT CA Manual

This manual shows how to setup certificate authority using NDNCERT. We take a personal CA as an example.

Contents:

  • Prerequisites
  • Setup the CA
  • Publish issued certificate to NDN Repo
  • Add email as an out-of-band identity challenge
  • Checking status of your running CAs
  • Multiple CAs running on same device
  • Derive Client configuration from CA configuration

Prerequisites

  • Your personal certificate /example/KEY/xxxxx/xxx/xxx has been installed in local NDN key chain. To verify this, you can run the following command.
ndnsec-ls-identity [-c] [-k]
  • If you want CA to publish certificate to local repo, have repo-ng running with TCP bulk insertion enabled
  • If you want to use email as out-of-band identity challenge, have SMTP service running (which could either be running locally or remotely, e.g., Sparkpost or other equivalent services)

Setup NDN Testbed CA

Open ndncert NDN CA config file and edit it as:

// ndn.ca.conf
{
    "ca-prefix": "/example",
    "issuing-freshness": "720",
    "validity-period": "360",
    "ca-info": "My Personal CA",
    "supported-challenges":
    [
        { "type": "PIN" }
    ]
}

Then run ndn testbed CA by the following command in terminal:

ndncert-ca-server -c ndn.ca.conf

This will start a NDNCERT daemon. The CA verifies a requester by PIN code and issues certificates under the prefix /example. The maximum validity period that allowed is 360 days.

Publish issued certificate to repo-ng

If repo-ng is already running, you can run NDNCERT CA with options -r.

ndncert-ca-server -f ucla.ca.conf -r

In this way, NDNCERT CA will publish all issued certificate to repo-ng using the default TCP socket localhost:7376. If the running repo-ng is not using default socket, you can specify the host and port with option -H and -P.

ndncert-ca-server -f ucla.ca.conf -r -H yourhost -P yourport

Add email as an out-of-band identity challenge

To add email as a out-of-band challenge, edit the supported-challenges field in your ca conf. Take UCLA ca as an example:

// ucla.ca.conf
{
    "ca-prefix": "/prefix",
    "issuing-freshness": "720",
    "validity-period": "360",
    "ca-info": "My Personal CA",
    "supported-challenges":
    [
      { "type": "PIN" },
      { "type": "Email" }
    ]
}

Then you need to edit ndncert-mail.conf. Please see Deploy Email Challenge for more details.

Checking status of your running CAs

To check the current status of your running CA, use the command 'ndncert-ca-status'. An example is shown as follows.

-> ndncert-ca-status
Request ID: 14655026199427305778	Current Status: 1
Applying CA: /example
Applying for key: /example/12239289238589930647/KEY/%08B%92D%01%CB%09%93/cert-request/%FD%00%00%01lw%BC%933
Challenge remaining tries: 3
Challenge Secret: {
    "pin-code": "876461"
}

CA operator should only give out challenge secret to the requester if you can verify the identify of the requester.

Multiple CAs running on same device

If you want to run multiple CAs on same device, you can just create multiple CA configs and run NDNCERT CA with different -c arguments.

Derive Client configuration from CA configuration

To get client configuration from the CA, there are two options.

option 1

First, the CA operator can manually create a client configuration. To do so, follow the Client configuration format as described in NDNCERT-Client-Configuration and fulfill each attribute in the client configuration:

  • ca-prefix: same as CA config's ca-prefix
  • ca-info: same as CA config's ca-info
  • probe: same as CA config's probe
  • certificate: A base64-format NDN certificate. To get the certificate, the CA operator can run the following command and dump the certificate.
ndnsec-dump-certificate [certificate-name]

The certificate name should be CA's identity's default Key's default certificate. To obtain the certificate name, one can run:

ndnsec-ls-identity -c

option 2

A second option is to send CA an Interest with name /ca/prefix/CA/_PROBE/INFO. To do so, a client can run the NDNCERT client and type in NONE in the CA selection step and then input the target CA prefix manually. After that, the Client Command Line tool will prompt:

Will install new trust anchor, please double check the identity info:
This trust anchor packet is signed by [key-name]
The signing certificate is [certificate bytes]
Do you trust the information? Type in YES or NO

The client should strictly verify the certificate bytes (e.g., through out-of-band means) before type in YES.

Clone this wiki locally