diff options
Diffstat (limited to 'ca/rpki-confgen.xml')
| -rw-r--r-- | ca/rpki-confgen.xml | 158 |
1 files changed, 102 insertions, 56 deletions
diff --git a/ca/rpki-confgen.xml b/ca/rpki-confgen.xml index a29ad8cd..b3e50823 100644 --- a/ca/rpki-confgen.xml +++ b/ca/rpki-confgen.xml @@ -186,17 +186,17 @@ </doc> </option> - <option name = "publication_root_cert_directory" - value = "${myrpki::publication_base_directory}.root"> + <option name = "rrdp_publication_base_directory" + value = "${autoconf::datarootdir}/rpki/rrdp-publication"> <doc> - Root of local directory tree where rootd (sigh) should write out - published data. This is just like publication_base_directory, but - rootd is too dumb to use pubd and needs its own directory in - which to write one certificate, one CRL, and one manifest. - Neither rootd nor rsyncd much cares //where// you tell them to put - this stuff, the important thing is that the rsync URIs in - generated certificates match up with the published objects so that - relying parties can find and verify rootd's published outputs. + Root of local directory tree where pubd should write out RRDP + files. You need to configure this, and the configuration + should match up with the directory where you point the web + server (usually Apache) that serves the RRDP files. Neither + pubd nor Apache much cares //where// you tell it to put this + stuff, the important thing is that all the URIs match up so + that relying parties can find and verify rpkid's published + outputs. </doc> </option> @@ -209,15 +209,6 @@ </doc> </option> - <option name = "publication_root_module" - value = "root"> - <doc> - rsyncd module name corresponding to publication_root_cert_directory. - This has to match the module you configured into `rsyncd.conf`. - Leave this alone unless you have some need to change it. - </doc> - </option> - <option name = "publication_rsync_server" value = "${myrpki::pubd_server_host}"> <doc> @@ -577,6 +568,20 @@ </doc> </option> + <option name = "rrdp-publication-base" + value = "${myrpki::rrdp_publication_base_directory}"> + <doc> + Root of local directory tree where pubd should write out RRDP + files. You need to configure this, and the configuration + should match up with the directory where you point the web + server (usually Apache) that serves the RRDP files. Neither + pubd nor Apache much cares //where// you tell it to put this + stuff, the important thing is that all the URIs match up so + that relying parties can find and verify rpkid's published + outputs. + </doc> + </option> + <option name = "server-host" value = "${myrpki::pubd_server_host}"> <doc> @@ -618,6 +623,15 @@ </doc> </option> + <option name = "pubd-crl" + value = "${myrpki::bpki_servers_directory}/ca.crl"> + <doc> + Where pubd should look for the CRL covering its own BPKI EE + certificate. Don't change this unless you really know what + you are doing. + </doc> + </option> + <option name = "irbe-cert" value = "${myrpki::bpki_servers_directory}/irbe.cer"> <doc> @@ -638,10 +652,9 @@ </doc> <doc> - Ok, if that wasn't enough to scare you off: rootd is a mess, and - needs to be rewritten, or, better, merged into rpkid. It - doesn't use the publication protocol, and it requires far too - many configuration parameters. + Ok, if that wasn't enough to scare you off: rootd is a mess, + needs to be rewritten, or, better, merged into rpkid, and + requires far too many configuration parameters. </doc> <doc> @@ -712,6 +725,13 @@ </doc> </option> + <option name = "pubd-bpki-cert"> + <doc> + BPKI certificate for pubd. Don't set this unless you really + know what you are doing. + </doc> + </option> + <option name = "server-host" value = "${myrpki::rootd_server_host}"> <doc> @@ -726,46 +746,75 @@ </doc> </option> - <option name = "rpki-root-dir" - value = "${myrpki::publication_base_directory}"> + <option name = "rpki_data_dir" + value = "${myrpki::bpki_servers_directory}"> <doc> - Where rootd should write its output. Yes, rootd should be using - pubd instead of publishing directly, but it doesn't. This - needs to match pubd's configuration. + Directory where rootd should store its RPKI data files. This + is only used to construct other variables, rootd itself + doesn't read it. </doc> </option> - <option name = "rpki-base-uri" - value = "rsync://${myrpki::publication_rsync_server}/${myrpki::publication_rsync_module}/"> + <option name = "rpki_base_uri" + value = "rsync://${myrpki::publication_rsync_server}/${myrpki::publication_rsync_module}/${myrpki::handle}-root/root"> <doc> - rsync URI corresponding to directory containing rootd's outputs. + rsync URI corresponding to directory containing rootd's + outputs. This is only used to construct other variables, + rootd itself doesn't read it. </doc> </option> <option name = "rpki-root-cert-uri" - value = "rsync://${myrpki::publication_rsync_server}/${myrpki::publication_root_module}/root.cer"> + value = "${rootd::rpki_base_uri}.cer"> <doc> rsync URI for rootd's root (self-signed) RPKI certificate. </doc> </option> - <option name = "rpki-root-key" - value = "${myrpki::bpki_servers_directory}/root.key"> + <option name = "rpki-root-cert-file" + value = "${rootd::rpki_data_dir}/root.cer"> + <doc> + Filename of rootd's root RPKI certificate. + </doc> + </option> + + <option name = "rpki-root-key-file" + value = "${rootd::rpki_data_dir}/root.key"> <doc> Private key corresponding to rootd's root RPKI certificate. </doc> </option> - <option name = "rpki-root-cert" - value = "${myrpki::publication_root_cert_directory}/root.cer"> + <option name = "rpki-root-crl-uri" + value = "${rootd::rpki_base_uri}/root.crl"> + <doc> + URI of the CRL for rootd's root RPKI certificate. + </doc> + </option> + + <option name = "rpki-root-crl-file" + value = "${rootd::rpki_data_dir}/root.crl"> + <doc> + Filename of the CRL for rootd's root RPKI certificate. + </doc> + </option> + + <option name = "rpki-root-manifest-uri" + value = "${rootd::rpki_base_uri}/root.mft"> + <doc> + URI of the manifest for rootd's root RPKI certificate. + </doc> + </option> + + <option name = "rpki-root-manifest-file" + value = "${rootd::rpki_data_dir}/root.mft"> <doc> - Filename (as opposed to rsync URI) of rootd's root RPKI - certificate. + Filename of the manifest for rootd's root RPKI certificate. </doc> </option> - <option name = "rpki-subject-pkcs10" - value = "${myrpki::bpki_servers_directory}/rootd.subject.pkcs10"> + <option name = "rpki-subject-pkcs10-file" + value = "${rootd::rpki_data_dir}/subject.pkcs10"> <doc> Where rootd should stash a copy of the PKCS #10 request it gets from its one (and only) child @@ -779,35 +828,32 @@ </doc> </option> - <option name = "rpki-root-crl" - value = "root.crl"> + <option name = "rpki-class-name" + value = "${myrpki::handle}"> <doc> - Filename (relative to rootd-base-uri and rpki-root-dir) of the CRL - for rootd's root RPKI certificate. + Up-down protocol class name for RPKI certificate rootd issues to its + one (and only) child. </doc> </option> - <option name = "rpki-root-manifest" - value = "root.mft"> + <option name = "rpki-subject-cert-uri" + value = "${rootd::rpki_base_uri}/${myrpki::handle}.cer"> <doc> - Filename (relative to rootd-base-uri and rpki-root-dir) of the - manifest for rootd's root RPKI certificate. + URI of the one (and only) RPKI certificate rootd issues. </doc> </option> - <option name = "rpki-class-name" - value = "${myrpki::handle}"> + <option name = "rpki-subject-cert-file" + value = "${rootd::rpki_data_dir}/${myrpki::handle}.cer"> <doc> - Up-down protocol class name for RPKI certificate rootd issues to its - one (and only) child. + Filename of the one (and only) RPKI certificate rootd issues. </doc> </option> - <option name = "rpki-subject-cert" - value = "${myrpki::handle}.cer"> + <option name = "pubd-contact-uri" + value = "http://${myrpki::pubd_server_host}:${myrpki::pubd_server_port}/client/${myrpki::handle}-root"> <doc> - Filename (relative to rootd-base-uri and rpki-root-dir) of the one - (and only) RPKI certificate rootd issues. + URI at which rootd should contact pubd for service. </doc> </option> |