aboutsummaryrefslogtreecommitdiff
path: root/doc/11.RPKI.CA.md
diff options
context:
space:
mode:
Diffstat (limited to 'doc/11.RPKI.CA.md')
-rw-r--r--doc/11.RPKI.CA.md63
1 files changed, 37 insertions, 26 deletions
diff --git a/doc/11.RPKI.CA.md b/doc/11.RPKI.CA.md
index dd523fc8..a26f91e9 100644
--- a/doc/11.RPKI.CA.md
+++ b/doc/11.RPKI.CA.md
@@ -6,18 +6,18 @@ implemented primarily in Python, with an extension module linked against an
RFC-3779-enabled version of the OpenSSL libraries to handle some of the low-
level details.
-See the relying party tools for tools for retrieving, verifying, and using
-RPKI data.
+See the [relying party tools][1] for tools for retrieving, verifying, and
+using RPKI data.
## Getting started
If you just want to get started with the CA tools and hate reading
documentation, here's a roadmap on what you do need to read:
- 1. Start with the installation instructions; if you're using pre-built packages you may be able to skip this step.
- 2. Then read the configuration instructions
- 3. Then the MySQL setup instructions
- 4. And finally either the command line tool or web interface
+ 1. Start with the [installation instructions][2]; if you're using pre-built packages you may be able to skip this step.
+ 2. Then read the [configuration instructions][3]
+ 3. Then the [MySQL setup instructions][4]
+ 4. And finally either the [command line tool][5] or [web interface][6]
## Overview of the CA engine
@@ -44,7 +44,7 @@ RPKI::
### Programs
-See the installation instructions for how to build and install the code.
+See the [installation instructions][2] for how to build and install the code.
The RPKI CA engine includes the following programs:
@@ -81,16 +81,17 @@ irdbd, rpkic, and the GUI collectively make up the "Internet registry back
end" (IRBE) component of the system.
These programs take configuration files in a common format similar to that
-used by the OpenSSL command line tool, see the configuration guide for
+used by the OpenSSL command line tool, see the [configuration guide][3] for
details.
Basic operation consists of creating the appropriate MySQL databases (see
-MySQL setup), starting the daemons, and using rpkic or the web interface to
-configure relationships between parents and children, relationships between
-publication clients and repositories, allocate resources to children, and
-create ROAs. Once setup is complete, rpkid should maintain the requested data
-automatically, including re-querying its parent(s) periodically to check for
-changes, reissuing certificates and other objects as needed, and so forth.
+[MySQL setup][4]), starting the daemons, and using [rpkic][5] or [the web
+interface][6] to configure relationships between parents and children,
+relationships between publication clients and repositories, allocate resources
+to children, and create ROAs. Once setup is complete, rpkid should maintain
+the requested data automatically, including re-querying its parent(s)
+periodically to check for changes, reissuing certificates and other objects as
+needed, and so forth.
The daemons are all event-driven, and are (in theory) capable of supporting an
arbitrary number of hosted RPKI engines to run in a single rpkid instance, up
@@ -98,7 +99,7 @@ to the performance limits of the underlying hardware.
## Starting the servers
-You need to follow the instructions in the configuration guide before
+You need to follow the instructions in the [configuration guide][3] before
attempting to start the servers.
Once you've written the servers' configuration file, the easiest way to run
@@ -125,18 +126,18 @@ debugging.
Some of the configuration options are common to all daemons: which daemon they
affect depends only on which sections of the configuration file they are in.
-See Common Options for details.
+See [Common Options][7] for details.
### rpkid
rpkid is the main RPKI engine daemon. Configuration of rpkid is a two step
process: a config file to bootstrap rpkid to the point where it can speak
-using the left-right protocol, followed by dynamic configuration via the left-
-right protocol. The latter stage is handled by the command line tool or the
-web interface.
+using the [left-right protocol][8], followed by dynamic configuration via the
+left-right protocol. The latter stage is handled by the [command line tool][5]
+or the [web interface][6].
rpkid stores dynamic data in an SQL database, which must have been created for
-it, as explained in in the MySQL setup instructions.
+it, as explained in in the [MySQL setup instructions][4].
### pubd
@@ -150,10 +151,10 @@ pubd is separate from rpkid for two reasons:
* The publication server has to run on (or at least close to) the publication point itself, which in turn must be on a publically reachable server to be useful. rpkid, on the other hand, need only be reachable by the IRBE and its children in the RPKI tree. rpkid is a much more complex piece of software than pubd, so in some situations it might make sense to wrap tighter firewall constraints around rpkid than would be practical if rpkid and pubd were a single program.
pubd stores dynamic data in an SQL database, which must have been created for
-it, as explained in the MySQL setup instructions. pubd also stores the
+it, as explained in the [MySQL setup instructions][4]. pubd also stores the
published objects themselves as disk files in a configurable location which
should correspond to an appropriate module definition in rsync.conf; see the
-configuration guide for details.
+[configuration guide][3] for details.
### rootd
@@ -162,7 +163,7 @@ down protocol. It's a separate program because the root certificate of an RPKI
certificate tree requires special handling and may also require a special
handling policy. rootd is a simple implementation intended for test use, it's
not suitable for use in a production system. All configuration comes via the
-config file; see the configuration guide for details.
+config file; see the [configuration guide][3] for details.
### irdbd
@@ -181,7 +182,7 @@ implementatation. Ordinarly you won't care about this, but if for some reason
you need to write your own irdbd implementation, you might find it easier to
start from the minimal version.
-See the configuration guide for details on configuring irdbd.
+See the [configuration guide][3] for details on configuring irdbd.
## Test programs
@@ -197,8 +198,8 @@ resource assignments, in a relatively compact form. The test programs use
these descriptions to generate a set of configuration files, populate the back
end database, and drive the test.
-See the test configuration language for details on the content of these YAML
-files.
+See the [test configuration language][9] for details on the content of these
+YAML files.
### smoketest
@@ -229,3 +230,13 @@ test description file. This may change in the future.
Running yamltest will generate a fairly complete set configuration files,
which may be useful as examples.
+
+[1]: 05.RPKI.RP.md
+[2]: 01.RPKI.Installation.md
+[3]: 12.RPKI.CA.Configuration.md
+[4]: 24.RPKI.CA.MySQLSetup.md
+[5]: 27.RPKI.CA.UI.rpkic.md
+[6]: 28.RPKI.CA.UI.GUI.md
+[7]: 13.RPKI.CA.Configuration.Common.md
+[8]: 35.RPKI.CA.Protocols.LeftRight.md
+[9]: 22.RPKI.CA.Configuration.Tests.md
generated by cgit v1.2.3 (git 2.25.1) at 2025-05-10 11:25:36 +0000