# $Id: myrpki.conf 2722 2009-08-31 22:24:48Z sra $
#
# Config file for myrpki.py, myirbe.py, and RPKI daemons when used
# with myrpki.py etc. Notes:
#
# - There's some duplication of settings between some of the sections,
# because each of the several daemons and control programs was
# written as a free-standing program. Lumping all of the config for
# all of them into a single config file is just a convenience for
# simple configurations; in complex cases you might not have any two
# of them running on the same machine.
#
# - This config file is also read by the OpenSSL command line tool
# running under mypki.py, so syntax must remain compatable with both
# OpenSSL and Python config file parsers, and there's a big chunk of
# OpenSSL voodoo towards the end of this file.
################################################################
[myrpki]
# Handle naming hosted resource-holding entity (<self/>) represented
# by this myrpki instance. Syntax is an identifier (ASCII letters,
# digits, hyphen, underscore -- no whitespace, non-ASCII characters,
# or other punctuation). You need to set this.
handle = Me
# Names of various files and directories. Don't change these without
# a good reason.
roa_csv = roas.csv
prefix_csv = prefixes.csv
asn_csv = asns.csv
xml_filename = myrpki.xml
bpki_resources_directory = bpki/resources
bpki_servers_directory = bpki/servers
# Whether you want to run your own copy of rpkid (and irdbd). In
# general, if you're running myirbe.py at all, you want this on.
run_rpkid = true
# DNS hostname and server port numbers for rpkid and irdbd, if you're
# running them. rpkid's server host has to be a publicly reachable
# name to be useful; irdbd's server host should always be localhost
# unless you really know what you are doing. Port numbers can be any
# legal TCP port number that you're not using for something else.
rpkid_server_host = rpkid.example.org
rpkid_server_port = 4404
irdbd_server_host = localhost
irdbd_server_port = 4403
# Whether you want myirbe.py to attempt to configure your own copy of
# pubd. In general, it's best to use your parent's pubd if you can,
# to reduce the overall number of publication sites that relying
# parties need to check, so don't enable this unless you have a good
# reason. See the [pubd] section if you do enable this.
#
# Enabling this when you are -not- running your own copy of pubd will
# cause myirbe.py to fail when it attempts to perform runtime
# configuration of your nonexistant pubd.
run_pubd = true
# DNS hostname and server port number for pubd, if you're running it.
# Hostname has to be a publicly reachable name to be useful, port can
# be any legal TCP port number that you're not using for something
# else.
pubd_server_host = pubd.example.org
pubd_server_port = 4402
# Contact information to include in offers of repository service.
# This only matters when we're running pubd. This should be a human
# readable string, perhaps containing an email address or URL.
pubd_contact_info = repo-man@rpki.example.org
# Whether to offer repository service to our children.
# This only matters when we're running pubd.
pubd_offer_service_to_children = true
# Whether you want to run your very own copy of rootd. Don't enable
# this unless you really know what you're doing.
run_rootd = true
# Server port number for rootd, if you're running it. This can be any
# legal TCP port number that you're not using for something else.
rootd_server_port = 4401
# Root of local directory tree where pubd (and rootd, sigh) should
# write out published data. You need to configure this, and the
# configuration should match up with the directory where you point
# rsyncd. Neither pubd nor rsyncd much cares -where- you tell them to
# put this stuff, the important thing is that the rsync:// URIs in
# generated certificates match up with the published objects so that
# relying parties can find and verify rpkid's published outputs.
publication_base_directory = publication/
# rsyncd module name corresponding to publication_base_directory, or
# empty string if you want publication_base_directory to correspond to
# the parent of multiple rsyncd modules populated by pubd. The latter
# is "multimodule mode" and is useful if you have strong opinions
# about what the rsync URLs should look like; it requires the rsyncd
# module definitions to line up with the directory names under
# publication_base_directory.
publication_rsync_module = ${myrpki::handle}
# Hostname and optional port number for rsync:// URIs. In most cases
# this should just be the same value as pubd_server_name.
publication_rsync_server = ${myrpki::pubd_server_host}
#################################################################
[rpkid]
# MySQL database name, user name, and password for rpkid to use to
# store its data. You need to configure these.
sql-database = rpki
sql-username = rpki
sql-password = fnord
# Host and port on which rpkid should listen for HTTPS service
# requests.
server-host = ${myrpki::rpkid_server_host}
server-port = ${myrpki::rpkid_server_port}
# HTTPS service URL rpkid should use to contact irdbd. If irdbd is
# running on the same machine as rpkid, this can and probably should
# be a loopback URL, since nobody but rpkid needs to talk to irdbd.
irdb-url = https://${myrpki::irdbd_server_host}:${myrpki::irdbd_server_port}/
# Where rpkid should look for BPKI certs and keys used in the
# left-right protocol. The following values match where myirbe.py
# will have placed things. Don't change these without a reason.
bpki-ta = ${myrpki::bpki_servers_directory}/ca.cer
rpkid-key = ${myrpki::bpki_servers_directory}/rpkid.key
rpkid-cert = ${myrpki::bpki_servers_directory}/rpkid.cer
irdb-cert = ${myrpki::bpki_servers_directory}/irdbd.cer
irbe-cert = ${myrpki::bpki_servers_directory}/irbe.cer
#################################################################
[irdbd]
# MySQL database name, user name, and password for irdbd to use to
# store its data. You need to configure these.
sql-database = irdb
sql-username = irdb
sql-password = fnord
# HTTP service URL irdbd should listen on. This should match the
# irdb-url parameter in the [rpkid] section; see comments there.
https-url = https://${myrpki::irdbd_server_host}:${myrpki::irdbd_server_port}/
# Where irdbd should look for BPKI certs and keys used in the
# left-right protocol. The following values match where myirbe.py
# will have placed things. Don't change these without a reason.
bpki-ta = ${myrpki::bpki_servers_directory}/ca.cer
rpkid-cert = ${myrpki::bpki_servers_directory}/rpkid.cer
irdbd-cert = ${myrpki::bpki_servers_directory}/irdbd.cer
irdbd-key = ${myrpki::bpki_servers_directory}/irdbd.key
#################################################################
[pubd]
# MySQL database name, user name, and password for pubd to use to
# store (some of) its data. You need to configure these.
sql-database = pubd
sql-username = pubd
sql-password = fnord
# Root of directory tree where pubd should write out published data.
# You need to configure this, and the configuration should match up
# with the directory where you point rsyncd. Neither pubd nor rsyncd
# much cares -where- you tell them to put this stuff, the important
# thing is that the rsync:// URIs in generated certificates match up
# with the published objects so that relying parties can find and
# verify rpkid's published outputs.
publication-base = ${myrpki::publication_base_directory}
# Host and port on which pubd should listen for HTTPS service
# requests.
server-host = ${myrpki::pubd_server_host}
server-port = ${myrpki::pubd_server_port}
# Where pubd should look for BPKI certs and keys used in the
# left-right protocol. The following values match where myirbe.py
# will have placed things. Don't change these without a reason.
bpki-ta = ${myrpki::bpki_servers_directory}/ca.cer
pubd-cert = ${myrpki::bpki_servers_directory}/pubd.cer
pubd-key = ${myrpki::bpki_servers_directory}/pubd.key
irbe-cert = ${myrpki::bpki_servers_directory}/irbe.cer
#################################################################
[irbe_cli]
# HTTPS service URL for rpkid
rpkid-url = https://${myrpki::rpkid_server_host}:${myrpki::rpkid_server_port}/left-right/
# BPKI certificates and keys for talking to rpkid
rpkid-bpki-ta = ${myrpki::bpki_servers_directory}/ca.cer
rpkid-irbe-key = ${myrpki::bpki_servers_directory}/irbe.key
rpkid-irbe-cert = ${myrpki::bpki_servers_directory}/irbe.cer
rpkid-cert = ${myrpki::bpki_servers_directory}/rpkid.cer
# HTTPS service URL for pubd
pubd-url = https://${myrpki::pubd_server_host}:${myrpki::pubd_server_port}/control/
# BPKI certificates and keys for talking to pubd
pubd-bpki-ta = ${myrpki::bpki_servers_directory}/ca.cer
pubd-irbe-key = ${myrpki::bpki_servers_directory}/irbe.key
pubd-irbe-cert = ${myrpki::bpki_servers_directory}/irbe.cer
pubd-cert = ${myrpki::bpki_servers_directory}/pubd.cer
#################################################################
# You don't need to run rootd unless you're IANA, are certifying
# private address space, or are an RIR which refuses to accept IANA as
# the root of the public address hierarchy.
#
# Ok, if that wasn't enough to scare you off: rootd is a kludge, and
# needs to be rewritten, or, better, merged into rpkid. It does a
# number of things wrong, and requires far too many configuration
# parameters. You have been warned....
[rootd]
# BPKI certificates and keys for rootd
bpki-ta = ${myrpki::bpki_servers_directory}/ca.cer
rootd-bpki-crl = ${myrpki::bpki_servers_directory}/ca.crl
rootd-bpki-cert = ${myrpki::bpki_servers_directory}/rootd.cer
rootd-bpki-key = ${myrpki::bpki_servers_directory}/rootd.key
child-bpki-cert = ${myrpki::bpki_servers_directory}/child.cer
# Server port on which rootd should listen.
server-port = ${myrpki::rootd_server_port}
# Where rootd should write its output. Yes, rootd should be using
# pubd instead of publishing directly, but it doesn't.
rpki-root-dir = ${myrpki::publication_base_directory}
# rsync URI for directory containing rootd's outputs
rpki-base-uri = rsync://${myrpki::publication_rsync_server}/${myrpki::publication_rsync_module}/
# rsync URI for rootd's root (self-signed) RPKI certificate
rpki-root-cert-uri = rsync://${myrpki::publication_rsync_server}/${myrpki::publication_rsync_module}/root.cer
# Private key corresponding to rootd's root RPKI certificate
rpki-root-key = ${myrpki::bpki_servers_directory}/ca.key
# Filename (as opposed to rsync URI) of rootd's root RPKI certificate
rpki-root-cert = ${myrpki::publication_base_directory}/root.cer
# Where rootd should stash a copy of the PKCS #10 request it gets from
# its one (and only) child
rpki-subject-pkcs10 = rootd.subject.pkcs10
# Lifetime of the one and only certificate rootd issues
rpki-subject-lifetime = 30d
# Filename (relative to rootd-base-uri and rpki-root-dir) of the CRL
# for rootd's root RPKI certificate
rpki-root-crl = root.crl
# Filename (relative to rootd-base-uri and rpki-root-dir) of the
# manifest for rootd's root RPKI certificate
rpki-root-manifest = root.mnf
# Up-down protocol class name for RPKI certificate rootd issues to its
# one (and only) child
rpki-class-name = ${myrpki::handle}
# Filename (relative to rootd-base-uri and rpki-root-dir) of the one
# (and only) RPKI certificate rootd issues
rpki-subject-cert = ${myrpki::handle}.cer
# The last four paramters in this section are really parameters for
# myirbe.py to use when constructing rootd's root RPKI certificate,
# via an indirection hack in the OpenSSL voodoo portion of this file.
# Don't ask why some of these are duplicated from other paramters in
# this section, you don't want to know (really, you don't).
# ASNs to include in rootd's root RPKI certificate, in openssl.conf format
root_cert_asns = AS:0-4294967295
# IP addresses to include in rootd's root RPKI certificate, in
# openssl.conf format
root_cert_addrs = IPv4:0.0.0.0/0,IPv6:0::/0
# Whatever you put in rpki-base-uri, earlier in this section
root_cert_sia = rsync://${myrpki::publication_rsync_server}/${myrpki::publication_rsync_module}/
# root_cert_sia + rpki-root-manifest
root_cert_manifest = rsync://${myrpki::publication_rsync_server}/${myrpki::publication_rsync_module}/root.mnf
#################################################################
# Constants for OpenSSL voodoo portion of this file, to make them
# easier to find.
[constants]
# Digest algorithm. Don't change this.
digest = sha256
# RSA key length. Don't change this.
key_length = 2048
# Lifetime of BPKI certificates (and rootd RPKI root certificate).
# Don't change this unless you know what you're doing.
cert_days = 365
# Lifetime of BPKI CRLs. Don't change this unless you know what
# you're doing.
crl_days = 365
#################################################################
# The rest of this file is OpenSSL configuration voodoo. Don't touch
# anything below here even if you -do- know what you're doing. Even
# by OpenSSL standards, some of this is weird, and interacts in
# non-obvious ways with code in myrpki.py and myirbe.py. If you touch
# this stuff and something breaks, don't say you weren't warned.
[req]
default_bits = ${constants::key_length}
default_md = ${constants::digest}
distinguished_name = req_dn
prompt = no
encrypt_key = no
[req_dn]
CN = Dummy name for certificate request
[ca_x509_ext_ee]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always
[ca_x509_ext_xcert0]
basicConstraints = critical,CA:true,pathlen:0
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always
[ca_x509_ext_xcert1]
basicConstraints = critical,CA:true,pathlen:1
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always
[ca_x509_ext_ca]
basicConstraints = critical,CA:true
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always
[ca]
default_ca = ca
dir = ${ENV::BPKI_DIRECTORY}
new_certs_dir = $dir
database = $dir/index
certificate = $dir/ca.cer
private_key = $dir/ca.key
default_days = ${constants::cert_days}
default_crl_days = ${constants::crl_days}
default_md = ${constants::digest}
policy = ca_dn_policy
unique_subject = no
serial = $dir/serial
crlnumber = $dir/crl_number
[ca_dn_policy]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
givenName = optional
surname = optional
[rootd_x509_extensions]
basicConstraints = critical,CA:true
subjectKeyIdentifier = hash
keyUsage = critical,keyCertSign,cRLSign
subjectInfoAccess = 1.3.6.1.5.5.7.48.5;URI:${rootd::root_cert_sia},1.3.6.1.5.5.7.48.10;URI:${rootd::root_cert_manifest}
sbgp-autonomousSysNum = critical,${rootd::root_cert_asns}
sbgp-ipAddrBlock = critical,${rootd::root_cert_addrs}
certificatePolicies = critical,1.3.6.1.5.5.7.14.2
