-[irbe_cli]

-

-# HTTP service URL for rpkid

-

-rpkid-url = http://${myrpki::rpkid_server_host}:${myrpki::rpkid_server_port}/left-right/

-

-# BPKI certificates and keys for talking to rpkid

-

-rpkid-bpki-ta = ${myrpki::bpki_servers_directory}/ca.cer

-rpkid-irbe-key = ${myrpki::bpki_servers_directory}/irbe.key

-rpkid-irbe-cert = ${myrpki::bpki_servers_directory}/irbe.cer

-rpkid-cert = ${myrpki::bpki_servers_directory}/rpkid.cer

-

-# HTTP service URL for pubd

-

-pubd-url = http://${myrpki::pubd_server_host}:${myrpki::pubd_server_port}/control/

-

-# BPKI certificates and keys for talking to pubd

-

-pubd-bpki-ta = ${myrpki::bpki_servers_directory}/ca.cer

-pubd-irbe-key = ${myrpki::bpki_servers_directory}/irbe.key

-pubd-irbe-cert = ${myrpki::bpki_servers_directory}/irbe.cer

-pubd-cert = ${myrpki::bpki_servers_directory}/pubd.cer

-

-#################################################################

-

-# Constants for OpenSSL voodoo portion of this file, to make them

-# easier to find.

-

-[constants]

-

-# Digest algorithm. Don't change this.

-

-digest = sha256

-

-# RSA key length. Don't change this.

-

-key_length = 2048

-

-# Lifetime of BPKI certificates (and rootd RPKI root certificate).

-# Don't change this unless you know what you're doing.

-

-cert_days = 365

-

-# Lifetime of BPKI CRLs. Don't change this unless you know what

-# you're doing.

-

-crl_days = 365

-

-#################################################################

-

-# The rest of this file is OpenSSL configuration voodoo. Don't touch

-# anything below here even if you -do- know what you're doing. Even

-# by OpenSSL standards, some of this is weird, and interacts in

-# non-obvious ways with code in myrpki.py and myirbe.py. If you touch

-# this stuff and something breaks, don't say you weren't warned.

-

-[req]

-default_bits = ${constants::key_length}

-default_md = ${constants::digest}

-distinguished_name = req_dn

-prompt = no

-encrypt_key = no

-

-[req_dn]

-CN = Dummy name for certificate request

-

-[ca_x509_ext_ee]

-subjectKeyIdentifier = hash

-authorityKeyIdentifier = keyid:always

-

-[ca_x509_ext_xcert0]

-basicConstraints = critical,CA:true,pathlen:0

-subjectKeyIdentifier = hash

-authorityKeyIdentifier = keyid:always

-

-[ca_x509_ext_xcert1]

-basicConstraints = critical,CA:true,pathlen:1

-subjectKeyIdentifier = hash

-authorityKeyIdentifier = keyid:always

-

-[ca_x509_ext_ca]

-basicConstraints = critical,CA:true

-subjectKeyIdentifier = hash

-authorityKeyIdentifier = keyid:always

-

-[ca]

-default_ca = ca

-dir = ${ENV::BPKI_DIRECTORY}

-new_certs_dir = $dir

-database = $dir/index

-certificate = $dir/ca.cer

-private_key = $dir/ca.key

-default_days = ${constants::cert_days}

-default_crl_days = ${constants::crl_days}

-default_md = ${constants::digest}

-policy = ca_dn_policy

-unique_subject = no

-serial = $dir/serial

-crlnumber = $dir/crl_number

-

-[ca_dn_policy]

-countryName = optional

-stateOrProvinceName = optional

-localityName = optional

-organizationName = optional

-organizationalUnitName = optional

-commonName = supplied

-emailAddress = optional

-givenName = optional

-surname = optional

-

-[rootd_x509_extensions]

-basicConstraints = critical,CA:true

-subjectKeyIdentifier = hash

-keyUsage = critical,keyCertSign,cRLSign

-subjectInfoAccess = 1.3.6.1.5.5.7.48.5;URI:${rootd::root_cert_sia},1.3.6.1.5.5.7.48.10;URI:${rootd::root_cert_manifest}

-sbgp-autonomousSysNum = critical,${rootd::root_cert_asns}

-sbgp-ipAddrBlock = critical,${rootd::root_cert_addrs}

-certificatePolicies = critical,1.3.6.1.5.5.7.14.2

-

-Copyright (C) 2009--2012 Internet Systems Consortium ("ISC")

-import getopt, sys, textwrap

-import rpki.left_right, rpki.http, rpki.x509, rpki.config, rpki.log

-import rpki.publication, rpki.async

- url = cfg.get("rpkid-url"),

- url = cfg.get("pubd-url"),