diff options
| author | Rob Austein <sra@hactrn.net> | 2016-07-28 21:03:09 -0400 |
|---|---|---|
| committer | Rob Austein <sra@hactrn.net> | 2016-07-28 21:03:09 -0400 |
| commit | 83fce9376139aac61522030ad4ff11cfe5de6139 (patch) | |
| tree | 1c6d9175e9bfdb33d6280d25228bc07742e0a9da /doc/doc.RPKI.CA.Configuration.rootd | |
| parent | 794705b7cde7ab8eade9d38ddd15cfbf5de5ebd8 (diff) | |
Drop in documentation extracted from wiki.rpki.net. See README for details.
Diffstat (limited to 'doc/doc.RPKI.CA.Configuration.rootd')
| -rw-r--r-- | doc/doc.RPKI.CA.Configuration.rootd | 146 |
1 files changed, 0 insertions, 146 deletions
diff --git a/doc/doc.RPKI.CA.Configuration.rootd b/doc/doc.RPKI.CA.Configuration.rootd deleted file mode 100644 index c3efba0f..00000000 --- a/doc/doc.RPKI.CA.Configuration.rootd +++ /dev/null @@ -1,146 +0,0 @@ -****** [rootd] section ****** - -You don't need to run rootd unless you're IANA, are certifying private address -space, or are an RIR which refuses to accept IANA as the root of the public -address hierarchy. - -Ok, if that wasn't enough to scare you off: rootd is a mess, and needs to be -rewritten, or, better, merged into rpkid. It doesn't use the publication -protocol, and it requires far too many configuration parameters. - -rootd was originally intended to be a very simple program which simplified -rpkid enormously by moving one specific task (acting as the root CA of an RPKI -certificate hierarchy) out of rpkid. As the specifications and code (mostly the -latter) have evolved, however, this task has become more complicated, and rootd -would have to become much more complicated to keep up. - -Don't run rootd unless you're sure that you need to do so. - -Still think you need to run rootd? OK, but remember, you have been warned.... - -rootd's default configuration file is the system rpki.conf file. Start rootd -with "-c filename" to choose a different configuration file. All options are in -the "[rootd]" section. Certificates and keys may be in either DER or PEM -format. - -***** bpki-ta ***** - -Where rootd should look for the BPKI trust anchor. All BPKI certificate -verification within rootd traces back to this trust anchor. Don't change this -unless you really know what you are doing. - - bpki-ta = ${myrpki::bpki_servers_directory}/ca.cer - -***** rootd-bpki-crl ***** - -BPKI CRL. Don't change this unless you really know what you are doing. - - rootd-bpki-crl = ${myrpki::bpki_servers_directory}/ca.crl - -***** rootd-bpki-cert ***** - -rootd's own BPKI EE certificate. Don't change this unless you really know what -you are doing. - - rootd-bpki-cert = ${myrpki::bpki_servers_directory}/rootd.cer - -***** rootd-bpki-key ***** - -Private key corresponding to rootd's own BPKI EE certificate. Don't change this -unless you really know what you are doing. - - rootd-bpki-key = ${myrpki::bpki_servers_directory}/rootd.key - -***** child-bpki-cert ***** - -BPKI certificate for rootd's one and only up-down child (RPKI engine to which -rootd issues an RPKI certificate). Don't change this unless you really know -what you are doing. - - child-bpki-cert = ${myrpki::bpki_servers_directory}/child.cer - -***** server-host ***** - -Server host on which rootd should listen. - - server-host = ${myrpki::rootd_server_host} - -***** server-port ***** - -Server port on which rootd should listen. - - server-port = ${myrpki::rootd_server_port} - -***** rpki-root-dir ***** - -Where rootd should write its output. Yes, rootd should be using pubd instead of -publishing directly, but it doesn't. This needs to match pubd's configuration. - - rpki-root-dir = ${myrpki::publication_base_directory} - -***** rpki-base-uri ***** - -rsync URI corresponding to directory containing rootd's outputs. - - rpki-base-uri = rsync://${myrpki::publication_rsync_server}/${myrpki:: - publication_rsync_module}/ - -***** rpki-root-cert-uri ***** - -rsync URI for rootd's root (self-signed) RPKI certificate. - - rpki-root-cert-uri = rsync://${myrpki::publication_rsync_server}/${myrpki:: - publication_root_module}/root.cer - -***** rpki-root-key ***** - -Private key corresponding to rootd's root RPKI certificate. - - rpki-root-key = ${myrpki::bpki_servers_directory}/root.key - -***** rpki-root-cert ***** - -Filename (as opposed to rsync URI) of rootd's root RPKI certificate. - - rpki-root-cert = ${myrpki::publication_root_cert_directory}/root.cer - -***** rpki-subject-pkcs10 ***** - -Where rootd should stash a copy of the PKCS #10 request it gets from its one -(and only) child - - rpki-subject-pkcs10 = ${myrpki::bpki_servers_directory}/rootd.subject.pkcs10 - -***** rpki-subject-lifetime ***** - -Lifetime of the one and only RPKI certificate rootd issues. - - rpki-subject-lifetime = 30d - -***** rpki-root-crl ***** - -Filename (relative to rootd-base-uri and rpki-root-dir) of the CRL for rootd's -root RPKI certificate. - - rpki-root-crl = root.crl - -***** rpki-root-manifest ***** - -Filename (relative to rootd-base-uri and rpki-root-dir) of the manifest for -rootd's root RPKI certificate. - - rpki-root-manifest = root.mft - -***** rpki-class-name ***** - -Up-down protocol class name for RPKI certificate rootd issues to its one (and -only) child. - - rpki-class-name = ${myrpki::handle} - -***** rpki-subject-cert ***** - -Filename (relative to rootd-base-uri and rpki-root-dir) of the one (and only) -RPKI certificate rootd issues. - - rpki-subject-cert = ${myrpki::handle}.cer |