From: Miroslav Lichvar <mlichvar@redhat.com>
Date: Tue, 2 Aug 2022 14:51:48 +0000 (+0200)
Subject: doc: suggest self-signed certificates for NTS in FAQ
X-Git-Tag: 4.3-pre1~5
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0f367efac53c45157807c99de45ce7e721960cf3;p=thirdparty%2Fchrony.git

doc: suggest self-signed certificates for NTS in FAQ
---

diff --git a/doc/faq.adoc b/doc/faq.adoc
index 97cdd43a..732aa804 100644
--- a/doc/faq.adoc
+++ b/doc/faq.adoc
@@ -703,6 +703,18 @@ was not shut down for too long and the server's certificate was not renewed too
 close to its expiration, it should be sufficient for the time checks to
 succeed.
 
+If you run your own server, you can use a self-signed certificate covering
+all dates where the client can start (e.g. years 1970-2100). The certificate
+needs to be installed on the client and specified with the `ntstrustedcerts`
+directive. The server can have multiple names and certificates. To avoid
+trusting a certificate for too long, a new certificate can be added to the
+server periodically (e.g. once per year) and the client can have the server
+name and trusted certificate updated automatically (e.g. using a package
+repository, or a cron script downloading the files directly from the server
+over HTTPS). A client that was shut down for years will still be able to
+synchronise its clock and perform the update as long as the server keeps
+the old certificate.
+
 As a last resort, you can disable the time checks by the `nocerttimecheck`
 directive. This has some important security implications. To reduce the
 security risk, you can use the `nosystemcert` and `ntstrustedcerts` directives