Add a lot of comments to myrpki/examples/myrpki.conf, and reorder

sections to make it a bit easier to find the useful parts.

svn path=/myrpki/arin-rootcert.py; revision=2803

4 files changed, 317 insertions, 277 deletions

diff --git a/myrpki/arin-rootcert.py b/myrpki/arin-rootcert.py
index c35b323d..5b1c69e3 100644
--- a/myrpki/arin-rootcert.py
+++ b/myrpki/arin-rootcert.py
@@ -40,15 +40,10 @@ basicConstraints                = critical,CA:true
 subjectKeyIdentifier            = hash
 keyUsage                        = critical,keyCertSign,cRLSign
 subjectInfoAccess               = 1.3.6.1.5.5.7.48.5;URI:rsync://arin.rpki.net/arin/,1.3.6.1.5.5.7.48.10;URI:rsync://arin.rpki.net/arin/root.mnf
-certificatePolicies             = critical, @rpki_certificate_policy
-
+certificatePolicies             = critical,1.3.6.1.5.5.7.14.2
 sbgp-autonomousSysNum           = critical,@rfc3779_asns
 sbgp-ipAddrBlock                = critical,@rfc3997_addrs
 
-[rpki_certificate_policy]
-
-policyIdentifier = 1.3.6.1.5.5.7.14.2
-
 [rfc3779_asns]
 '''
 
diff --git a/myrpki/examples/myrpki.conf b/myrpki/examples/myrpki.conf
index 79037874..a61175a1 100644
--- a/myrpki/examples/myrpki.conf
+++ b/myrpki/examples/myrpki.conf
@@ -1,12 +1,43 @@
 # $Id: myrpki.conf 2722 2009-08-31 22:24:48Z sra $
 #
-# Config file for myrpi.py; note that this is also read by the OpenSSL
-# command line tool running under mypki.py, so syntax must remain
-# compatable with both OpenSSL and Python config file parsers, and
-# large portions of this are OpenSSL voodoo.
+# Config file for myrpki.py, myirbe.py, and RPKI daemons when used
+# with myrpki.py etc.  Notes:
+#
+# - There's some duplication of settings between some of the sections,
+#   because each of the several daemons and control programs was
+#   written as a free-standing program.  Lumping all of the config for
+#   all of them into a single config file is just a convenience for
+#   simple configurations; in complex cases you might not have any two
+#   of them running on the same machine.
+#
+# - This config file is also read by the OpenSSL command line tool
+#   running under mypki.py, so syntax must remain compatable with both
+#   OpenSSL and Python config file parsers, and there's a big chunk of
+#   OpenSSL voodoo towards the end of this file.
+
+################################################################
 
 [myrpki]
+
+# Handle naming hosted resource-holding entity (<self/>) represented
+# by this myrpki instance.  You need to set this.
+
 handle				= Me
+
+# BPKI trust anchor for the repository in which this <self/> will be
+# publishing its outputs.  You need to set this.
+
+repository_bpki_certificate	= repository-ta.cer
+
+# Name by which repository will know this <self/>.  This may be a
+# structured handle, eg, "Grandma/Mom/Me" or might be a simple handle,
+# depending on how the repository is set up.  You need to set this.
+
+repository_handle		= Me
+
+# Names of various input and output files.  Don't change these without
+# a good reason.
+
 roa_csv				= roas.csv
 children_csv			= children.csv
 parents_csv			= parents.csv
@@ -14,135 +45,186 @@ prefix_csv			= prefixes.csv
 asn_csv				= asns.csv
 xml_filename			= myrpki.xml
 bpki_directory			= bpki.myrpki
-repository_bpki_certificate	= bpki.pubd/ca.cer
-repository_handle		= Me
 
-[constants]
-digest				= sha256
-key_length			= 2048
-cert_days			= 365
-crl_days			= 365
+#################################################################
 
 [myirbe]
-irdbd_conf			= irdbd.conf
-bpki_directory			= bpki.myirbe
-want_pubd			= true
-want_rootd			= true
-pubd_base			= https://localhost:4402
-rpkid_base			= https://localhost:4404
 
-[req]
-default_bits			= ${constants::key_length}
-default_md			= ${constants::digest}
-distinguished_name		= req_dn
-prompt				= no
-encrypt_key			= no
+# Base of service URL for pubd.  myirbe.py uses this value to
+# configure <repository/> objects in rpkid.  If you are running your
+# own copy of pubd (see "want_pubd"), myirbe.py also uses this to
+# contact your copy of pubd in order to configure it.
+#
+# You need to configure this.
 
-[req_dn]
-CN                      	= Dummy name for certificate request
+pubd_base			= https://pubd.example.org:4402/
 
-[ca_x509_ext_ee]
-subjectKeyIdentifier		= hash
-authorityKeyIdentifier		= keyid:always
+# Base of service URL for rpkid.  myirbe.py uses this to contact your
+# rpkid so it can configure it.
+#
+# You need to configure this.
 
-[ca_x509_ext_xcert0]
-basicConstraints		= critical,CA:true,pathlen:0
-subjectKeyIdentifier		= hash
-authorityKeyIdentifier		= keyid:always
+rpkid_base			= https://rpkid.example.org:4404
 
-[ca_x509_ext_xcert1]
-basicConstraints		= critical,CA:true,pathlen:1
-subjectKeyIdentifier		= hash
-authorityKeyIdentifier		= keyid:always
+# Whether you want myirbe.py to attempt to configure your own copy of
+# pubd.  In general, it's best to use your parent's pubd if you can,
+# to reduce the overall number of publication sites that relying
+# parties need to check, so don't enable this unless you have a good
+# reason.  See the [pubd] section if you do enable this.
+#
+# Enabling this when you are -not- running your own copy of pubd will
+# cause myirbe.py to fail when it attempts to perform runtime
+# configuration of your nonexistant pubd.
 
-[ca_x509_ext_ca]
-basicConstraints		= critical,CA:true
-subjectKeyIdentifier		= hash
-authorityKeyIdentifier		= keyid:always
+want_pubd			= false
 
-[ca]
-default_ca			= ca
-dir				= ${ENV::BPKI_DIRECTORY}
-new_certs_dir			= $dir
-database			= $dir/index
-certificate			= $dir/ca.cer
-private_key			= $dir/ca.key
-default_days			= ${constants::cert_days}
-default_crl_days		= ${constants::crl_days}
-default_md			= ${constants::digest}
-policy				= ca_dn_policy
-unique_subject			= no
-serial				= $dir/serial
-crlnumber			= $dir/crl_number
+# Whether you want myirbe.py to generate BPKI certs for running your
+# very own copy of rootd.  Don't enable this unless you really know
+# what you're doing.  See [rootd] section below for further comments.
 
-[ca_dn_policy]
-countryName			= optional
-stateOrProvinceName		= optional
-localityName			= optional
-organizationName		= optional
-organizationalUnitName		= optional
-commonName			= supplied
-emailAddress			= optional
-givenName			= optional
-surname				= optional
+want_rootd			= false
+
+# Where to put BPKI stuff for the IRBE operator (entity that operates
+# rpkid etc).  Don't change this without a reason.
+
+bpki_directory			= bpki.myirbe
+
+#################################################################
 
 [rpkid]
 
+# MySQL database name, user name, and password for rpkid to use to
+# store its data.  You need  to configure these.
+
 sql-database			= rpki
 sql-username			= rpki
 sql-password    		= fnord
+
+# Host and port on which rpkid should listen for HTTPS service
+# requests.  These should match rpkid_base in the [myirbe] section.
+# You need to configure these.
+
+server-host     		= rpkid.example.org
+server-port     		= 4404
+
+# HTTPS service URL rpkid should use to contact irdbd.  If irdbd is
+# running on the same machine as rpkid, this can and probably should
+# be a loopback URL, since nobody but rpkid needs to talk to irdbd.
+
+irdb-url        		= https://localhost:4403/
+
+# Where rpkid should look for BPKI certs and keys used in the
+# left-right protocol.  The following values match where myirbe.py
+# will have placed things.  Don't change these without a reason.
+
 bpki-ta         		= bpki.myirbe/ca.cer
 rpkid-key       		= bpki.myirbe/rpkid.key
 rpkid-cert      		= bpki.myirbe/rpkid.cer
 irdb-cert       		= bpki.myirbe/irdbd.cer
 irbe-cert       		= bpki.myirbe/irbe.cer
-irdb-url        		= https://localhost:4403/
-server-host     		= localhost
-server-port     		= 4404
+
+#################################################################
 
 [irdbd]
 
+# MySQL database name, user name, and password for irdbd to use to
+# store its data.  You need to configure these.
+
 sql-database    		= irdb
 sql-username    		= irdb
 sql-password    		= fnord
+
+# HTTP service URL irdbd should listen on.  This should match the
+# irdb-url parameter in the [rpkid] section; see comments there.
+
+https-url			= https://localhost:4403/
+
+# Where irdbd should look for BPKI certs and keys used in the
+# left-right protocol.  The following values match where myirbe.py
+# will have placed things.  Don't change these without a reason.
+
 bpki-ta         		= bpki.myirbe/ca.cer
 rpkid-cert      		= bpki.myirbe/rpkid.cer
 irdbd-cert      		= bpki.myirbe/irdbd.cer
 irdbd-key       		= bpki.myirbe/irdbd.key
-https-url			= https://localhost:4403/
+
+#################################################################
 
 [pubd]
 
-startup-message			= This is pubd
+# MySQL database name, user name, and password for pubd to use to
+# store (some of) its data.  You need to configure these.
 
 sql-database            	= pubd
 sql-username            	= pubd
 sql-password            	= fnord
+
+# Root of directory tree where pubd should write out published data.
+# You need to configure this, and the configuration should match up
+# with the directory where you point rsyncd.  Neither pubd nor rsyncd
+# much cares -where- you tell them to put this stuff, the important
+# thing is that the rsync:// URIs in generated certificates match up
+# with the published objects so that relying parties can find and
+# verify rpkid's published outputs.
+
+publication-base        	= publication/
+
+# Host and port on which pubd should listen for HTTPS service
+# requests.  These should match pubd_base in the [myirbe] section.
+# You need to configure these.
+
+server-host             	= pubd.example.org
+server-port             	= 4402
+
+# Where pubd should look for BPKI certs and keys used in the
+# left-right protocol.  The following values match where myirbe.py
+# will have placed things.  Don't change these without a reason.
+
 bpki-ta                 	= bpki.myirbe/ca.cer
 pubd-cert               	= bpki.myirbe/pubd.cer
 pubd-key                	= bpki.myirbe/pubd.key
 irbe-cert               	= bpki.myirbe/irbe.cer
-server-host             	= localhost
-server-port             	= 4402
-publication-base        	= publication/
+
+#################################################################
 
 [irbe_cli]
 
+# HTTPS service URL for rpkid
+
+rpkid-url                       = https://rpkid.example.org:4404/left-right/
+
+# BPKI certificates and keys for talking to rpkid
+
 rpkid-bpki-ta                   = bpki.myirbe/ca.cer
 rpkid-irbe-key                  = bpki.myirbe/irbe.key
 rpkid-irbe-cert                 = bpki.myirbe/irbe.cer
 rpkid-cert                      = bpki.myirbe/rpkid.cer
-rpkid-url                       = https://localhost:4404/left-right/
+
+# HTTPS service URL for pubd
+
+pubd-url                        = https://localhost:4402/control/
+
+# BPKI certificates and keys for talking to pubd
 
 pubd-bpki-ta                    = bpki.myirbe/ca.cer
 pubd-irbe-key                   = bpki.myirbe/irbe.key
 pubd-irbe-cert                  = bpki.myirbe/irbe.cer
 pubd-cert                       = bpki.myirbe/pubd.cer
-pubd-url                        = https://localhost:4402/control/
+
+#################################################################
+
+# You don't need to run rootd unless you're IANA, are certifying
+# private address space, or are an RIR which refuses to accept IANA as
+# the root of the public address hierarchy.
+#
+# Ok, if that wasn't enough to scare you off: rootd is a kludge, and
+# needs to be rewritten, or, better, merged into rpkid.  It does a
+# number of things wrong, and requires far too many configuration
+# parameters.  You have been warned....
 
 [rootd]
 
-startup-message			= This is rootd
+# BPKI certificates and keys for rootd
 
 bpki-ta                 	= bpki.myirbe/ca.cer
 rootd-bpki-crl          	= bpki.myirbe/ca.crl
@@ -150,33 +232,176 @@ rootd-bpki-cert         	= bpki.myirbe/rootd.cer
 rootd-bpki-key          	= bpki.myirbe/rootd.key
 child-bpki-cert         	= bpki.myirbe/child.cer
 
+# Server port on which rootd should listen.
+
 server-port             	= 4401
 
+# Where rootd should write its output.  Yes, rootd should be using
+# pubd instead of publishing directly, but it doesn't.
+
 rpki-root-dir           	= publication/
-rpki-base-uri           	= rsync://localhost:4400/Me/
-rpki-root-cert-uri      	= rsync://localhost:4400/Me/root.cer
+
+# rsync URI for directory containing rootd's outputs
+
+rpki-base-uri           	= rsync://rpki.example.org/Me/
+
+# rsync URI for rootd's root (self-signed) RPKI certificate
+
+rpki-root-cert-uri      	= rsync://rpki.example.org/Me/root.cer
+
+# Private key corresponding to rootd's root RPKI certificate
 
 rpki-root-key           	= bpki.myirbe/ca.key
+
+# Filename (as opposed to rsync URI) of rootd's root RPKI certificate
+
 rpki-root-cert          	= publication/root.cer
 
+# Where rootd should stash a copy of the PKCS #10 request it gets from
+# its one (and only) child
+
 rpki-subject-pkcs10     	= rootd.subject.pkcs10
+
+# Lifetime of the one and only certificate rootd issues
+
 rpki-subject-lifetime   	= 30d
 
+# Filename (relative to rootd-base-uri and rpki-root-dir) of the CRL
+# for rootd's root RPKI certificate
+
 rpki-root-crl           	= root.crl
+
+# Filename (relative to rootd-base-uri and rpki-root-dir) of the
+# manifest for rootd's root RPKI certificate
+
 rpki-root-manifest      	= root.mnf
 
+# Up-down protocol class name for RPKI certificate rootd issues to its
+# one (and only) child
+
 rpki-class-name         	= Me
+
+# Filename (relative to rootd-base-uri and rpki-root-dir) of the one
+# (and only) RPKI certificate rootd issues
+
 rpki-subject-cert       	= Me.cer
 
-[rpki_x509_extensions]
+# The last four paramters in this section are really parameters for
+# myirbe.py to use when constructing rootd's root RPKI certificate,
+# via an indirection hack in the OpenSSL voodoo portion of this file.
+# Don't ask why some of these are duplicated from other paramters in
+# this section, you don't want to know (really, you don't).
+
+# ASNs to include in rootd's root RPKI certificate, in openssl.conf format
+
+root_cert_asns			= AS:0-4294967295
+
+# IP addresses to include in rootd's root RPKI certificate, in
+# openssl.conf format
+
+root_cert_addrs			= IPv4:0.0.0.0/0,IPv6:0::/0
+
+# Whatever you put in rpki-base-uri, earlier in this section
+
+root_cert_sia			= rsync://rpki.example.org/Me/
+
+# root_cert_sia + rpki-root-manifest
+
+root_cert_manifest		= rsync://rpki.example.org/Me/root.mnf
+
+#################################################################
+
+# Constants for OpenSSL voodoo portion of this file, to make them
+# easier to find.
+
+[constants]
+
+# Digest algorithm.  Don't change this.
+
+digest				= sha256
+
+# RSA key length.   Don't change this.
+
+key_length			= 2048
+
+# Lifetime of BPKI certificates (and rootd RPKI root certificate).
+# Don't change this unless you know what you're doing.
+
+cert_days			= 365
+
+# Lifetime of BPKI CRLs.  Don't change this unless you know what
+# you're doing.
+
+crl_days			= 365
+
+#################################################################
+
+# The rest of this file is OpenSSL configuration voodoo.  Don't touch
+# anything below here even if you -do- know what you're doing.  Even
+# by OpenSSL standards, some of this is weird, and interacts in
+# non-obvious ways with code in myrpki.py and myirbe.py.  If you touch
+# this stuff and something breaks, don't say you weren't warned.
+
+[req]
+default_bits			= ${constants::key_length}
+default_md			= ${constants::digest}
+distinguished_name		= req_dn
+prompt				= no
+encrypt_key			= no
+
+[req_dn]
+CN                      	= Dummy name for certificate request
+
+[ca_x509_ext_ee]
+subjectKeyIdentifier		= hash
+authorityKeyIdentifier		= keyid:always
+
+[ca_x509_ext_xcert0]
+basicConstraints		= critical,CA:true,pathlen:0
+subjectKeyIdentifier		= hash
+authorityKeyIdentifier		= keyid:always
+
+[ca_x509_ext_xcert1]
+basicConstraints		= critical,CA:true,pathlen:1
+subjectKeyIdentifier		= hash
+authorityKeyIdentifier		= keyid:always
+
+[ca_x509_ext_ca]
+basicConstraints		= critical,CA:true
+subjectKeyIdentifier		= hash
+authorityKeyIdentifier		= keyid:always
+
+[ca]
+default_ca			= ca
+dir				= ${ENV::BPKI_DIRECTORY}
+new_certs_dir			= $dir
+database			= $dir/index
+certificate			= $dir/ca.cer
+private_key			= $dir/ca.key
+default_days			= ${constants::cert_days}
+default_crl_days		= ${constants::crl_days}
+default_md			= ${constants::digest}
+policy				= ca_dn_policy
+unique_subject			= no
+serial				= $dir/serial
+crlnumber			= $dir/crl_number
+
+[ca_dn_policy]
+countryName			= optional
+stateOrProvinceName		= optional
+localityName			= optional
+organizationName		= optional
+organizationalUnitName		= optional
+commonName			= supplied
+emailAddress			= optional
+givenName			= optional
+surname				= optional
+
+[rootd_x509_extensions]
 basicConstraints        	= critical,CA:true
 subjectKeyIdentifier    	= hash
 keyUsage                	= critical,keyCertSign,cRLSign
-subjectInfoAccess       	= 1.3.6.1.5.5.7.48.5;URI:rsync://localhost:4400/Me/,1.3.6.1.5.5.7.48.10;URI:rsync://localhost:4400/Me/root.mnf
-sbgp-autonomousSysNum   	= critical,AS:0-4294967295
-sbgp-ipAddrBlock        	= critical,IPv4:0.0.0.0/0,IPv6:0::/0
-certificatePolicies     	= critical, @rpki_certificate_policy
-
-[rpki_certificate_policy]
-
-policyIdentifier = 1.3.6.1.5.5.7.14.2
+subjectInfoAccess       	= 1.3.6.1.5.5.7.48.5;URI:${rootd::root_cert_sia},1.3.6.1.5.5.7.48.10;URI:${rootd::root_cert_manifest}
+sbgp-autonomousSysNum   	= critical,${rootd::root_cert_asns}
+sbgp-ipAddrBlock        	= critical,${rootd::root_cert_addrs}
+certificatePolicies     	= critical,1.3.6.1.5.5.7.14.2
diff --git a/myrpki/myrpki.conf b/myrpki/myrpki.conf
deleted file mode 100644
index e572824f..00000000
--- a/myrpki/myrpki.conf
+++ /dev/null
@@ -1,182 +0,0 @@
-# $Id$
-#
-# Config file for myrpi.py; note that this is also read by the OpenSSL
-# command line tool running under mypki.py, so syntax must remain
-# compatable with both OpenSSL and Python config file parsers, and
-# large portions of this are OpenSSL voodoo.
-
-[myrpki]
-handle				= wombat
-roa_csv				= roas.csv
-children_csv			= children.csv
-parents_csv			= parents.csv
-prefix_csv			= prefixes.csv
-asn_csv				= asns.csv
-xml_filename			= myrpki.xml
-bpki_directory			= bpki.myrpki
-repository_bpki_certificate	= bpki.pubd/ca.cer
-repository_handle		= wombat
-
-[constants]
-digest				= sha256
-key_length			= 2048
-cert_days			= 365
-crl_days			= 365
-
-[myirbe]
-irdbd_conf			= irdbd.conf
-bpki_directory			= bpki.myirbe
-want_pubd			= true
-want_rootd			= true
-pubd_base			= https://localhost:4402
-rpkid_base			= https://localhost:4404
-
-[req]
-default_bits			= ${constants::key_length}
-default_md			= ${constants::digest}
-distinguished_name		= req_dn
-prompt				= no
-encrypt_key			= no
-
-[req_dn]
-CN                      	= Dummy name for certificate request
-
-[ca_x509_ext_ee]
-subjectKeyIdentifier		= hash
-authorityKeyIdentifier		= keyid:always
-
-[ca_x509_ext_xcert0]
-basicConstraints		= critical,CA:true,pathlen:0
-subjectKeyIdentifier		= hash
-authorityKeyIdentifier		= keyid:always
-
-[ca_x509_ext_xcert1]
-basicConstraints		= critical,CA:true,pathlen:1
-subjectKeyIdentifier		= hash
-authorityKeyIdentifier		= keyid:always
-
-[ca_x509_ext_ca]
-basicConstraints		= critical,CA:true
-subjectKeyIdentifier		= hash
-authorityKeyIdentifier		= keyid:always
-
-[ca]
-default_ca			= ca
-dir				= ${ENV::BPKI_DIRECTORY}
-new_certs_dir			= $dir
-database			= $dir/index
-certificate			= $dir/ca.cer
-private_key			= $dir/ca.key
-default_days			= ${constants::cert_days}
-default_crl_days		= ${constants::crl_days}
-default_md			= ${constants::digest}
-policy				= ca_dn_policy
-unique_subject			= no
-serial				= $dir/serial
-crlnumber			= $dir/crl_number
-
-[ca_dn_policy]
-countryName			= optional
-stateOrProvinceName		= optional
-localityName			= optional
-organizationName		= optional
-organizationalUnitName		= optional
-commonName			= supplied
-emailAddress			= optional
-givenName			= optional
-surname				= optional
-
-[rpkid]
-
-sql-database			= rpki
-sql-username			= rpki
-sql-password    		= fnord
-bpki-ta         		= bpki.myirbe/ca.cer
-rpkid-key       		= bpki.myirbe/rpkid.key
-rpkid-cert      		= bpki.myirbe/rpkid.cer
-irdb-cert       		= bpki.myirbe/irdbd.cer
-irbe-cert       		= bpki.myirbe/irbe.cer
-irdb-url        		= https://localhost:4403/
-server-host     		= localhost
-server-port     		= 4404
-
-[irdbd]
-
-sql-database    		= irdb
-sql-username    		= irdb
-sql-password    		= fnord
-bpki-ta         		= bpki.myirbe/ca.cer
-rpkid-cert      		= bpki.myirbe/rpkid.cer
-irdbd-cert      		= bpki.myirbe/irdbd.cer
-irdbd-key       		= bpki.myirbe/irdbd.key
-https-url			= https://localhost:4403/
-
-[pubd]
-
-startup-message			= This is pubd
-
-sql-database            	= pubd
-sql-username            	= pubd
-sql-password            	= fnord
-bpki-ta                 	= bpki.myirbe/ca.cer
-pubd-cert               	= bpki.myirbe/pubd.cer
-pubd-key                	= bpki.myirbe/pubd.key
-irbe-cert               	= bpki.myirbe/irbe.cer
-server-host             	= localhost
-server-port             	= 4402
-publication-base        	= publication/
-
-[irbe_cli]
-
-rpkid-bpki-ta                   = bpki.myirbe/ca.cer
-rpkid-irbe-key                  = bpki.myirbe/irbe.key
-rpkid-irbe-cert                 = bpki.myirbe/irbe.cer
-rpkid-cert                      = bpki.myirbe/rpkid.cer
-rpkid-url                       = https://localhost:4404/left-right/
-
-pubd-bpki-ta                    = bpki.myirbe/ca.cer
-pubd-irbe-key                   = bpki.myirbe/irbe.key
-pubd-irbe-cert                  = bpki.myirbe/irbe.cer
-pubd-cert                       = bpki.myirbe/pubd.cer
-pubd-url                        = https://localhost:4402/control/
-
-[rootd]
-
-startup-message			= This is rootd
-
-bpki-ta                 	= bpki.myirbe/ca.cer
-rootd-bpki-crl          	= bpki.myirbe/ca.crl
-rootd-bpki-cert         	= bpki.myirbe/rootd.cer
-rootd-bpki-key          	= bpki.myirbe/rootd.key
-child-bpki-cert         	= bpki.myirbe/child.cer
-
-server-port             	= 4401
-
-rpki-root-dir           	= publication/
-rpki-base-uri           	= rsync://localhost:4400/wombat/
-rpki-root-cert-uri      	= rsync://localhost:4400/wombat/root.cer
-
-rpki-root-key           	= bpki.myirbe/ca.key
-rpki-root-cert          	= publication/root.cer
-
-rpki-subject-pkcs10     	= rootd.subject.pkcs10
-rpki-subject-lifetime   	= 30d
-
-rpki-root-crl           	= root.crl
-rpki-root-manifest      	= root.mnf
-
-rpki-class-name         	= wombat
-rpki-subject-cert       	= wombat.cer
-
-[rpki_x509_extensions]
-basicConstraints        	= critical,CA:true
-subjectKeyIdentifier    	= hash
-keyUsage                	= critical,keyCertSign,cRLSign
-subjectInfoAccess       	= 1.3.6.1.5.5.7.48.5;URI:rsync://localhost:4400/wombat/,1.3.6.1.5.5.7.48.10;URI:rsync://localhost:4400/wombat/root.mnf
-sbgp-autonomousSysNum   	= critical,AS:0-4294967295
-sbgp-ipAddrBlock        	= critical,IPv4:0.0.0.0/0,IPv6:0::/0
-certificatePolicies     	= critical, @rpki_certificate_policy
-
-[rpki_certificate_policy]
-
-policyIdentifier = 1.3.6.1.5.5.7.14.2
diff --git a/myrpki/yamltest.py b/myrpki/yamltest.py
index f80420ac..8ed99781 100644
--- a/myrpki/yamltest.py
+++ b/myrpki/yamltest.py
@@ -402,7 +402,9 @@ class allocation(object):
       r["rootd",  "rpki-root-cert"] = "publication/root.cer"
       r["rootd",  "rpki-root-cert-uri"] = "rsync://%s/root.cer" % root_path
       r["rootd",  "rpki-subject-cert"] = "%s.cer" % self.name
-      r["rpki_x509_extensions", "subjectInfoAccess"] = "1.3.6.1.5.5.7.48.5;URI:rsync://%s/,1.3.6.1.5.5.7.48.10;URI:rsync://%s/root.mnf" % (root_path, root_path)
+      r["rootd",  "rpki-root-manifest"] = "root.mnf"
+      r["rootd",  "root_cert_sia"] = r["rootd",  "rpki-base-uri"]
+      r["rootd",  "root_cert_manifest"] = r["rootd",  "rpki-base-uri"] + r["rootd",  "rpki-root-manifest"]
 
     if self.runs_pubd():
       r["pubd", "server-port"]  = "%d" % self.pubd_port
@@ -434,7 +436,7 @@ class allocation(object):
     print "Writing", f.name
 
     section = None
-    for line in open("myrpki.conf"):
+    for line in open("examples/myrpki.conf"):
       m = section_regexp.match(line)
       if m:
         section = m.group(1)
@@ -633,7 +635,7 @@ rootd_openssl("x509", "-req", "-sha256", "-outform", "DER",
               "-in",      "bpki.myirbe/ca.req",
               "-out",     "publication/root.cer",
               "-extfile", "myrpki.conf",
-              "-extensions", "rpki_x509_extensions")
+              "-extensions", "rootd_x509_extensions")
 
 # At this point we need to start a whole lotta daemons.