diff options
| author | Rob Austein <sra@hactrn.net> | 2016-08-04 12:27:06 -0400 |
|---|---|---|
| committer | Rob Austein <sra@hactrn.net> | 2016-08-04 12:27:06 -0400 |
| commit | c897c7cecf4134f20354e3dbba9438cbab706eaf (patch) | |
| tree | 7066ad608aa285a2b80589e224d06a96e7421120 /doc/wiki-dump/doc%2FRPKI%2FCA%2FConfiguration%2Frootd.md | |
| parent | 949e9c8358b5259656c02e4a1ada7912d943afd2 (diff) | |
Wiki->HTML->Markdown on all dumped pages, zip attachments.
Diffstat (limited to 'doc/wiki-dump/doc%2FRPKI%2FCA%2FConfiguration%2Frootd.md')
| -rw-r--r-- | doc/wiki-dump/doc%2FRPKI%2FCA%2FConfiguration%2Frootd.md | 203 |
1 files changed, 203 insertions, 0 deletions
diff --git a/doc/wiki-dump/doc%2FRPKI%2FCA%2FConfiguration%2Frootd.md b/doc/wiki-dump/doc%2FRPKI%2FCA%2FConfiguration%2Frootd.md new file mode 100644 index 00000000..ffd00010 --- /dev/null +++ b/doc/wiki-dump/doc%2FRPKI%2FCA%2FConfiguration%2Frootd.md @@ -0,0 +1,203 @@ +# [rootd] section + +You don't need to run rootd unless you're IANA, are certifying private address +space, or are an RIR which refuses to accept IANA as the root of the public +address hierarchy. + +Ok, if that wasn't enough to scare you off: rootd is a mess, and needs to be +rewritten, or, better, merged into rpkid. It doesn't use the publication +protocol, and it requires far too many configuration parameters. + +rootd was originally intended to be a very simple program which simplified +rpkid enormously by moving one specific task (acting as the root CA of an RPKI +certificate hierarchy) out of rpkid. As the specifications and code (mostly +the latter) have evolved, however, this task has become more complicated, and +rootd would have to become much more complicated to keep up. + +Don't run rootd unless you're sure that you need to do so. + +Still think you need to run rootd? OK, but remember, you have been warned.... + +rootd's default configuration file is the system `rpki.conf` file. Start rootd +with "`-c filename`" to choose a different configuration file. All options are +in the "`[rootd]`" section. Certificates and keys may be in either DER or PEM +format. + +## bpki-ta + +Where rootd should look for the BPKI trust anchor. All BPKI certificate +verification within rootd traces back to this trust anchor. Don't change this +unless you really know what you are doing. + + + + bpki-ta = ${myrpki::bpki_servers_directory}/ca.cer + + +## rootd-bpki-crl + +BPKI CRL. Don't change this unless you really know what you are doing. + + + + rootd-bpki-crl = ${myrpki::bpki_servers_directory}/ca.crl + + +## rootd-bpki-cert + +rootd's own BPKI EE certificate. Don't change this unless you really know what +you are doing. + + + + rootd-bpki-cert = ${myrpki::bpki_servers_directory}/rootd.cer + + +## rootd-bpki-key + +Private key corresponding to rootd's own BPKI EE certificate. Don't change +this unless you really know what you are doing. + + + + rootd-bpki-key = ${myrpki::bpki_servers_directory}/rootd.key + + +## child-bpki-cert + +BPKI certificate for rootd's one and only up-down child (RPKI engine to which +rootd issues an RPKI certificate). Don't change this unless you really know +what you are doing. + + + + child-bpki-cert = ${myrpki::bpki_servers_directory}/child.cer + + +## server-host + +Server host on which rootd should listen. + + + + server-host = ${myrpki::rootd_server_host} + + +## server-port + +Server port on which rootd should listen. + + + + server-port = ${myrpki::rootd_server_port} + + +## rpki-root-dir + +Where rootd should write its output. Yes, rootd should be using pubd instead +of publishing directly, but it doesn't. This needs to match pubd's +configuration. + + + + rpki-root-dir = ${myrpki::publication_base_directory} + + +## rpki-base-uri + +rsync URI corresponding to directory containing rootd's outputs. + + + + rpki-base-uri = rsync://${myrpki::publication_rsync_server}/${myrpki::publication_rsync_module}/ + + +## rpki-root-cert-uri + +rsync URI for rootd's root (self-signed) RPKI certificate. + + + + rpki-root-cert-uri = rsync://${myrpki::publication_rsync_server}/${myrpki::publication_root_module}/root.cer + + +## rpki-root-key + +Private key corresponding to rootd's root RPKI certificate. + + + + rpki-root-key = ${myrpki::bpki_servers_directory}/root.key + + +## rpki-root-cert + +Filename (as opposed to rsync URI) of rootd's root RPKI certificate. + + + + rpki-root-cert = ${myrpki::publication_root_cert_directory}/root.cer + + +## rpki-subject-pkcs10 + +Where rootd should stash a copy of the PKCS [#10][1] request it gets from its +one (and only) child + + + + rpki-subject-pkcs10 = ${myrpki::bpki_servers_directory}/rootd.subject.pkcs10 + + +## rpki-subject-lifetime + +Lifetime of the one and only RPKI certificate rootd issues. + + + + rpki-subject-lifetime = 30d + + +## rpki-root-crl + +Filename (relative to rootd-base-uri and rpki-root-dir) of the CRL for rootd's +root RPKI certificate. + + + + rpki-root-crl = root.crl + + +## rpki-root-manifest + +Filename (relative to rootd-base-uri and rpki-root-dir) of the manifest for +rootd's root RPKI certificate. + + + + rpki-root-manifest = root.mft + + +## rpki-class-name + +Up-down protocol class name for RPKI certificate rootd issues to its one (and +only) child. + + + + rpki-class-name = ${myrpki::handle} + + +## rpki-subject-cert + +Filename (relative to rootd-base-uri and rpki-root-dir) of the one (and only) +RPKI certificate rootd issues. + + + + rpki-subject-cert = ${myrpki::handle}.cer + + + [1]: /ticket/10 (enhancement: Things Keyur wanted when he saw rcynic-ng's +HTML (closed: fixed)) + |