If I read things correctly, you are signing the server's certificate with your root certificate. I tested with an intermediate cert in there. I don't know any reason your case won't work, but it's not how I tested things.
[on server] 2020-05-07T16:24:58 ntpd[27974]: NTS: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca I think the "alert" is trying to tell you that it is relaying a message from the client. The client bailed because it can't verify your certificate. [on client] server pluto nts ca /var/lib/ntp/certs/ That's a directory rather than a file. Again, not how I test things, but I don't see any reason it won't work. I assume you put the servers root certificate in there. There is some dance you have to go through to setup a directory. OpenSSL uses a hash. There is a utility that finds the certificates and sets up links from the hash name to the real certificate, or something like that. It seemed simpler to avoid that step by using a file rather than directory. server <server-FQDN> nts ca <file-name-for-root-cert> --------- The name you use on the server line has to match the name in the certificate. Usually, that is a FQDN. I tested using example.com. Again, I don't know any reason why a short name won't work but it's not how I tested things. -- These are my opinions. I hate spam. _______________________________________________ devel mailing list devel@ntpsec.org http://lists.ntpsec.org/mailman/listinfo/devel
