NDN Certification Framework (ndncert)


  • ndn-cxx, NFD

    sudo apt-get install ndn-cxx ndn-cxx-dev nfd
  • repo-ng with proper config

    Repo will hold/serve issued certificates for the site:

    sudo apt-get install repo-ng

    Make sure that repo's config (/etc/ndn/repo-ng.conf) looks like the following (only needs to be changed, the rest should be the same).

        prefix "ndn:/ndn/edu/ucla/KEY"
        ; prefix "ndn:/ndn/<site-name>/KEY"
        prefix "ndn:/localhost/repo-ng"
        method "sqlite"             ; Currently, only sqlite storage engine is supported
        path "/var/lib/ndn/repo-ng"  ; path to repo-ng storage folder
        max-packets 1000000
      tcp_bulk_insert {
        host "localhost"  ; Set to listen on different IP address or hostname
        port 7376  ; Set to listen on different port number
        trust-anchor {
            type any

    Restart repo-ng after making changes to config file (or the system)

    sudo restart repo-ng
  • Installed custom fork of PyNDN2 (! using python 2.7)

    git clone
    cd PyNDN2
    sudo python install
  • ndnop-process-requests script installed somewhere in security operator's PATH

    sudo curl -L > /usr/local/bin/ndnop-process-requests
    sudo chmod +x /usr/local/bin/ndnop-process-requests

Certificate generation

"Ideally", the procedure has to be done by the designated security operator himself.
Performing this procedure on testbed hub is just a "convenience" for the time being and at all signing "ideally" should be performed elsewhere.

NOTE: The following commands must be performed under a designated ndncert user.
If ssh logic is different, sudo su - ndncert must be used to switch to the account (! not just sudo ndncert).

Automated using ndncert

  1. Go to

  2. Enter <site-name> as email. For example:

  3. Proceed to certificate request upload page (email verification is disabled for

  4. Install certificate using the command received from the NDN testbed root operator:



  1. Generate key pair and certification request:

    ndnsec-keygen /ndn/edu/<name>

    <name> is sometime like: wustl, colostate, umich, ...

    The output of this command is certification request. If signing request needs to be recreated for the existing identity (one from the ndnsec-ls-identity list), the following command can be used:

    ndnsec-sign-req /ndn/edu/<name>

    Singing request should be sent to NDN trust root (Alex Afanasyev right now).

  2. Root operator will return signed certificate (e.g., umich.ndncert). Do the following with the file:

    ndnsec-install-cert <received-file>

Security operator actions

When a user requests a certificate the operator gets an email alerting them and instructing them to run ndnop-process-requests on their node.
Operator just need to ssh to the node, sudo su - ndncert, and issue


If there are pending requests, the script will guide the process to accept/reject.
When accepted, the certificate will be created, published to local repo (using tcp-bulk-insert protocol---make sure that repo-ng is running before ndnop-process-requests is run), and uploaded to WEB system for the user to download it.

Updated by Alex Afanasyev almost 6 years ago ยท 5 revisions