diff options
Diffstat (limited to 'doc/doc.RPKI.CA.UI.rpkic')
| -rw-r--r-- | doc/doc.RPKI.CA.UI.rpkic | 96 |
1 files changed, 0 insertions, 96 deletions
diff --git a/doc/doc.RPKI.CA.UI.rpkic b/doc/doc.RPKI.CA.UI.rpkic deleted file mode 100644 index 22f322c5..00000000 --- a/doc/doc.RPKI.CA.UI.rpkic +++ /dev/null @@ -1,96 +0,0 @@ -****** The rpkic tool ****** - -rpkic is a command line interface to rpkid and pubd. It implements largely the -same functionality as the web interface. In most cases you will want to use the -web interface for normal operation, but rpkic is available if you need it. - -rpkic can be run either in an interactive mode or by passing a single command -on the command line when starting the program; the former mode is intended to -be somewhat human-friendly, the latter mode is useful in scripting, cron jobs, -and automated testing. - -Some rpkic commands write out data files, usually in the current directory. - -rpkic uses the same system-wide rpki.conf file as the other CA tools as its -default configuration file. - -rpkic includes a "help" command which provides inline help for its several -commands. - -***** Selecting an identity ***** - -The handle variable in rpki.conf specifies the handle of the default identity -for an rpkic command, but this is just the default. rpkid can host an arbitrary -number of identities, and rpkic has to be able to control all of them. - -When running rpkic interactively, use rpkic's "select_identity" command to set -the current identity handle. - -When running rpkic with a single command on the command line, use the "-i" (or -"--identity") option to set the current identity handle. - -***** rpkic in setup phase ***** - -See the introduction to the user interfaces for an overview of how setup phase -works. The general structure of the setup phase in rpkic is as described there, -but here we provide the specific commands involved. The following assumes that -you have already installed the software and started the servers. - -* The rpkic "initialize" command writes out an "identity.xml" file in addition - to all of its other tasks. - -* A parent who is using rpkic runs the "configure_child" command to configure - the child, giving this command the identity.xml file the child supplied as - input. configure_child will write out a response XML file, which the parent - sends back to the child. - -* A child who is running rpkic runs the "configure_parent" command to process - the parent's response, giving it the XML file sent back by the parent as - input to this command. configure_parent will write out a publication request - XML file, which the child sents to the repository operator. - -* A repository operator who is using rpkic runs the - "configure_publication_client" command to process a client's publication - request. configure_publication_client generates a confirmation XML message - which the repository operator sends back to the client. - -* A publication client who is using rpkic runs the "configure_repository" - command to process the repository's response. - -***** rpkic in data maintenance phase ***** - -rpkic uses whitespace-delimited text files (called ".csv files", for historical -reasons) to control issuance of addresses and autonomous sequence numbers to -children, and to control issuance of ROAs. See the "load_asns", -"load_prefixes", and "load_roa_requests" commands. - -***** Maintaining child validity data ***** - -All resources issued to child entities are tagged with a validity date. If not -updated, these resources will eventually expire. rpkic includes two commands -for updating these validity dates: - -* "renew_child" updates the validity date for a specific child. - -* "renew_all_children" updates the validity date for all children. - -***** BPKI maintenance ***** - -Certificates and CRLs in the BPKI have expiration dates and netUpdate dates, so -they need to be maintained. Failure to maintain these will eventually cause the -CA software to grind to a halt, as expired certificates will cause CMS -validation failures. - -rpkic's "update_bpki" command takes care of this. Usually one will want to run -this periodically (perhaps once per month), under cron. - -***** Forcing synchronization ***** - -Most rpkic commands synchronize the back end database with the daemons -automatically, so in general it should not be necessary to synchronize -manually. However, since these are separate databases, it is theoretically -possible for them to get out of synch, perhaps because something crashed at -exactly the wrong time. - -rpkic's "synchronize" command runs a synchronization cycle with rpkid (if -run_rpkic is set) and pubd (if run_pubd is set). |