On Tue, Feb 2, 2021 at 5:04 PM Miroslav Lichvar <mlich...@redhat.com> wrote: > > I'd like to add support for multiple keys to the NTS server to enable > virtual hosting as is common with web servers. A use case which I > thought it could enable would be servers that run only for a limited > time to support different products or versions of the product (like an > OS), where each has its own certificate included in the installation > and is fully trusted to avoid the issues with wrong or missing RTC and > failing time checks in certificate verification. This would allow the > server keys to be rotated as the products/versions reach their > end-of-line and it would also limit the number of devices that need to > be updated/fixed when a key is compromised. > > I'm not sure how it should be configured. I see the following options: > > 1) allow multiple files to be specified in ntsservercert and > ntsserverkey directives > - long lines are not great for inspection and editing > - maximum number of keys/certs is limited by the maximum line length > 2) allow multiple ntsserverkey/ntsservercert directives > - sensitive to order (few directives in chrony have this property) > 3) allow glob patterns in ntsserverkey/ntsservercert directive > - certs and keys need to have the same naming scheme to pair correctly > > I think 1) is just not acceptable. From 2) and 3) I'm not sure what is > better. > > For example: > > ntsservercert /etc/pki/tls/certs/nts-1.example.net > ntsserverkey /etc/pki/tls/private/nts-1.example.net > ntsservercert /etc/pki/tls/certs/nts-2.example.net > ntsserverkey /etc/pki/tls/private/nts-2.example.net > ntsservercert /etc/pki/tls/certs/nts-3.example.net > ntsserverkey /etc/pki/tls/private/nts-3.example.net > > vs > > ntsservercert /etc/pki/tls/certs/nts-*.example.net > ntsserverkey /etc/pki/tls/private/nts-*.example.net > > Any suggestions?
You already have subfile inclusion with globbing like "include /etc/chrony/chrony.d/*.conf". Which means users could keep each individual cert-config small and simple - also less in-file-edit if you programmatically place&remove them. But for that to help in this case it would have to be option (2) of your list. Also TBH, (2) and (3) are not mutually exclusive - so you could do a combination of the two. But if I'd have to select just one I'd personally pick (2) for helping me with the split-config-files approach. Just an opinion while doing the morning-mail-check - kind regards, Christian > -- > Miroslav Lichvar > > > -- > To unsubscribe email chrony-dev-requ...@chrony.tuxfamily.org with > "unsubscribe" in the subject. > For help email chrony-dev-requ...@chrony.tuxfamily.org with "help" in the > subject. > Trouble? Email listmas...@chrony.tuxfamily.org. > -- Christian Ehrhardt Staff Engineer, Ubuntu Server Canonical Ltd -- To unsubscribe email chrony-dev-requ...@chrony.tuxfamily.org with "unsubscribe" in the subject. For help email chrony-dev-requ...@chrony.tuxfamily.org with "help" in the subject. Trouble? Email listmas...@chrony.tuxfamily.org.
