diff options
Diffstat (limited to 'myrpki/examples/myrpki.conf')
| -rw-r--r-- | myrpki/examples/myrpki.conf | 397 |
1 files changed, 311 insertions, 86 deletions
diff --git a/myrpki/examples/myrpki.conf b/myrpki/examples/myrpki.conf index 79037874..a61175a1 100644 --- a/myrpki/examples/myrpki.conf +++ b/myrpki/examples/myrpki.conf @@ -1,12 +1,43 @@ # $Id: myrpki.conf 2722 2009-08-31 22:24:48Z sra $ # -# Config file for myrpi.py; note that this is also read by the OpenSSL -# command line tool running under mypki.py, so syntax must remain -# compatable with both OpenSSL and Python config file parsers, and -# large portions of this are OpenSSL voodoo. +# Config file for myrpki.py, myirbe.py, and RPKI daemons when used +# with myrpki.py etc. Notes: +# +# - There's some duplication of settings between some of the sections, +# because each of the several daemons and control programs was +# written as a free-standing program. Lumping all of the config for +# all of them into a single config file is just a convenience for +# simple configurations; in complex cases you might not have any two +# of them running on the same machine. +# +# - This config file is also read by the OpenSSL command line tool +# running under mypki.py, so syntax must remain compatable with both +# OpenSSL and Python config file parsers, and there's a big chunk of +# OpenSSL voodoo towards the end of this file. + +################################################################ [myrpki] + +# Handle naming hosted resource-holding entity (<self/>) represented +# by this myrpki instance. You need to set this. + handle = Me + +# BPKI trust anchor for the repository in which this <self/> will be +# publishing its outputs. You need to set this. + +repository_bpki_certificate = repository-ta.cer + +# Name by which repository will know this <self/>. This may be a +# structured handle, eg, "Grandma/Mom/Me" or might be a simple handle, +# depending on how the repository is set up. You need to set this. + +repository_handle = Me + +# Names of various input and output files. Don't change these without +# a good reason. + roa_csv = roas.csv children_csv = children.csv parents_csv = parents.csv @@ -14,135 +45,186 @@ prefix_csv = prefixes.csv asn_csv = asns.csv xml_filename = myrpki.xml bpki_directory = bpki.myrpki -repository_bpki_certificate = bpki.pubd/ca.cer -repository_handle = Me -[constants] -digest = sha256 -key_length = 2048 -cert_days = 365 -crl_days = 365 +################################################################# [myirbe] -irdbd_conf = irdbd.conf -bpki_directory = bpki.myirbe -want_pubd = true -want_rootd = true -pubd_base = https://localhost:4402 -rpkid_base = https://localhost:4404 -[req] -default_bits = ${constants::key_length} -default_md = ${constants::digest} -distinguished_name = req_dn -prompt = no -encrypt_key = no +# Base of service URL for pubd. myirbe.py uses this value to +# configure <repository/> objects in rpkid. If you are running your +# own copy of pubd (see "want_pubd"), myirbe.py also uses this to +# contact your copy of pubd in order to configure it. +# +# You need to configure this. -[req_dn] -CN = Dummy name for certificate request +pubd_base = https://pubd.example.org:4402/ -[ca_x509_ext_ee] -subjectKeyIdentifier = hash -authorityKeyIdentifier = keyid:always +# Base of service URL for rpkid. myirbe.py uses this to contact your +# rpkid so it can configure it. +# +# You need to configure this. -[ca_x509_ext_xcert0] -basicConstraints = critical,CA:true,pathlen:0 -subjectKeyIdentifier = hash -authorityKeyIdentifier = keyid:always +rpkid_base = https://rpkid.example.org:4404 -[ca_x509_ext_xcert1] -basicConstraints = critical,CA:true,pathlen:1 -subjectKeyIdentifier = hash -authorityKeyIdentifier = keyid:always +# Whether you want myirbe.py to attempt to configure your own copy of +# pubd. In general, it's best to use your parent's pubd if you can, +# to reduce the overall number of publication sites that relying +# parties need to check, so don't enable this unless you have a good +# reason. See the [pubd] section if you do enable this. +# +# Enabling this when you are -not- running your own copy of pubd will +# cause myirbe.py to fail when it attempts to perform runtime +# configuration of your nonexistant pubd. -[ca_x509_ext_ca] -basicConstraints = critical,CA:true -subjectKeyIdentifier = hash -authorityKeyIdentifier = keyid:always +want_pubd = false -[ca] -default_ca = ca -dir = ${ENV::BPKI_DIRECTORY} -new_certs_dir = $dir -database = $dir/index -certificate = $dir/ca.cer -private_key = $dir/ca.key -default_days = ${constants::cert_days} -default_crl_days = ${constants::crl_days} -default_md = ${constants::digest} -policy = ca_dn_policy -unique_subject = no -serial = $dir/serial -crlnumber = $dir/crl_number +# Whether you want myirbe.py to generate BPKI certs for running your +# very own copy of rootd. Don't enable this unless you really know +# what you're doing. See [rootd] section below for further comments. -[ca_dn_policy] -countryName = optional -stateOrProvinceName = optional -localityName = optional -organizationName = optional -organizationalUnitName = optional -commonName = supplied -emailAddress = optional -givenName = optional -surname = optional +want_rootd = false + +# Where to put BPKI stuff for the IRBE operator (entity that operates +# rpkid etc). Don't change this without a reason. + +bpki_directory = bpki.myirbe + +################################################################# [rpkid] +# MySQL database name, user name, and password for rpkid to use to +# store its data. You need to configure these. + sql-database = rpki sql-username = rpki sql-password = fnord + +# Host and port on which rpkid should listen for HTTPS service +# requests. These should match rpkid_base in the [myirbe] section. +# You need to configure these. + +server-host = rpkid.example.org +server-port = 4404 + +# HTTPS service URL rpkid should use to contact irdbd. If irdbd is +# running on the same machine as rpkid, this can and probably should +# be a loopback URL, since nobody but rpkid needs to talk to irdbd. + +irdb-url = https://localhost:4403/ + +# Where rpkid should look for BPKI certs and keys used in the +# left-right protocol. The following values match where myirbe.py +# will have placed things. Don't change these without a reason. + bpki-ta = bpki.myirbe/ca.cer rpkid-key = bpki.myirbe/rpkid.key rpkid-cert = bpki.myirbe/rpkid.cer irdb-cert = bpki.myirbe/irdbd.cer irbe-cert = bpki.myirbe/irbe.cer -irdb-url = https://localhost:4403/ -server-host = localhost -server-port = 4404 + +################################################################# [irdbd] +# MySQL database name, user name, and password for irdbd to use to +# store its data. You need to configure these. + sql-database = irdb sql-username = irdb sql-password = fnord + +# HTTP service URL irdbd should listen on. This should match the +# irdb-url parameter in the [rpkid] section; see comments there. + +https-url = https://localhost:4403/ + +# Where irdbd should look for BPKI certs and keys used in the +# left-right protocol. The following values match where myirbe.py +# will have placed things. Don't change these without a reason. + bpki-ta = bpki.myirbe/ca.cer rpkid-cert = bpki.myirbe/rpkid.cer irdbd-cert = bpki.myirbe/irdbd.cer irdbd-key = bpki.myirbe/irdbd.key -https-url = https://localhost:4403/ + +################################################################# [pubd] -startup-message = This is pubd +# MySQL database name, user name, and password for pubd to use to +# store (some of) its data. You need to configure these. sql-database = pubd sql-username = pubd sql-password = fnord + +# Root of directory tree where pubd should write out published data. +# You need to configure this, and the configuration should match up +# with the directory where you point rsyncd. Neither pubd nor rsyncd +# much cares -where- you tell them to put this stuff, the important +# thing is that the rsync:// URIs in generated certificates match up +# with the published objects so that relying parties can find and +# verify rpkid's published outputs. + +publication-base = publication/ + +# Host and port on which pubd should listen for HTTPS service +# requests. These should match pubd_base in the [myirbe] section. +# You need to configure these. + +server-host = pubd.example.org +server-port = 4402 + +# Where pubd should look for BPKI certs and keys used in the +# left-right protocol. The following values match where myirbe.py +# will have placed things. Don't change these without a reason. + bpki-ta = bpki.myirbe/ca.cer pubd-cert = bpki.myirbe/pubd.cer pubd-key = bpki.myirbe/pubd.key irbe-cert = bpki.myirbe/irbe.cer -server-host = localhost -server-port = 4402 -publication-base = publication/ + +################################################################# [irbe_cli] +# HTTPS service URL for rpkid + +rpkid-url = https://rpkid.example.org:4404/left-right/ + +# BPKI certificates and keys for talking to rpkid + rpkid-bpki-ta = bpki.myirbe/ca.cer rpkid-irbe-key = bpki.myirbe/irbe.key rpkid-irbe-cert = bpki.myirbe/irbe.cer rpkid-cert = bpki.myirbe/rpkid.cer -rpkid-url = https://localhost:4404/left-right/ + +# HTTPS service URL for pubd + +pubd-url = https://localhost:4402/control/ + +# BPKI certificates and keys for talking to pubd pubd-bpki-ta = bpki.myirbe/ca.cer pubd-irbe-key = bpki.myirbe/irbe.key pubd-irbe-cert = bpki.myirbe/irbe.cer pubd-cert = bpki.myirbe/pubd.cer -pubd-url = https://localhost:4402/control/ + +################################################################# + +# You don't need to run rootd unless you're IANA, are certifying +# private address space, or are an RIR which refuses to accept IANA as +# the root of the public address hierarchy. +# +# Ok, if that wasn't enough to scare you off: rootd is a kludge, and +# needs to be rewritten, or, better, merged into rpkid. It does a +# number of things wrong, and requires far too many configuration +# parameters. You have been warned.... [rootd] -startup-message = This is rootd +# BPKI certificates and keys for rootd bpki-ta = bpki.myirbe/ca.cer rootd-bpki-crl = bpki.myirbe/ca.crl @@ -150,33 +232,176 @@ rootd-bpki-cert = bpki.myirbe/rootd.cer rootd-bpki-key = bpki.myirbe/rootd.key child-bpki-cert = bpki.myirbe/child.cer +# Server port on which rootd should listen. + server-port = 4401 +# Where rootd should write its output. Yes, rootd should be using +# pubd instead of publishing directly, but it doesn't. + rpki-root-dir = publication/ -rpki-base-uri = rsync://localhost:4400/Me/ -rpki-root-cert-uri = rsync://localhost:4400/Me/root.cer + +# rsync URI for directory containing rootd's outputs + +rpki-base-uri = rsync://rpki.example.org/Me/ + +# rsync URI for rootd's root (self-signed) RPKI certificate + +rpki-root-cert-uri = rsync://rpki.example.org/Me/root.cer + +# Private key corresponding to rootd's root RPKI certificate rpki-root-key = bpki.myirbe/ca.key + +# Filename (as opposed to rsync URI) of rootd's root RPKI certificate + rpki-root-cert = publication/root.cer +# Where rootd should stash a copy of the PKCS #10 request it gets from +# its one (and only) child + rpki-subject-pkcs10 = rootd.subject.pkcs10 + +# Lifetime of the one and only certificate rootd issues + rpki-subject-lifetime = 30d +# Filename (relative to rootd-base-uri and rpki-root-dir) of the CRL +# for rootd's root RPKI certificate + rpki-root-crl = root.crl + +# Filename (relative to rootd-base-uri and rpki-root-dir) of the +# manifest for rootd's root RPKI certificate + rpki-root-manifest = root.mnf +# Up-down protocol class name for RPKI certificate rootd issues to its +# one (and only) child + rpki-class-name = Me + +# Filename (relative to rootd-base-uri and rpki-root-dir) of the one +# (and only) RPKI certificate rootd issues + rpki-subject-cert = Me.cer -[rpki_x509_extensions] +# The last four paramters in this section are really parameters for +# myirbe.py to use when constructing rootd's root RPKI certificate, +# via an indirection hack in the OpenSSL voodoo portion of this file. +# Don't ask why some of these are duplicated from other paramters in +# this section, you don't want to know (really, you don't). + +# ASNs to include in rootd's root RPKI certificate, in openssl.conf format + +root_cert_asns = AS:0-4294967295 + +# IP addresses to include in rootd's root RPKI certificate, in +# openssl.conf format + +root_cert_addrs = IPv4:0.0.0.0/0,IPv6:0::/0 + +# Whatever you put in rpki-base-uri, earlier in this section + +root_cert_sia = rsync://rpki.example.org/Me/ + +# root_cert_sia + rpki-root-manifest + +root_cert_manifest = rsync://rpki.example.org/Me/root.mnf + +################################################################# + +# Constants for OpenSSL voodoo portion of this file, to make them +# easier to find. + +[constants] + +# Digest algorithm. Don't change this. + +digest = sha256 + +# RSA key length. Don't change this. + +key_length = 2048 + +# Lifetime of BPKI certificates (and rootd RPKI root certificate). +# Don't change this unless you know what you're doing. + +cert_days = 365 + +# Lifetime of BPKI CRLs. Don't change this unless you know what +# you're doing. + +crl_days = 365 + +################################################################# + +# The rest of this file is OpenSSL configuration voodoo. Don't touch +# anything below here even if you -do- know what you're doing. Even +# by OpenSSL standards, some of this is weird, and interacts in +# non-obvious ways with code in myrpki.py and myirbe.py. If you touch +# this stuff and something breaks, don't say you weren't warned. + +[req] +default_bits = ${constants::key_length} +default_md = ${constants::digest} +distinguished_name = req_dn +prompt = no +encrypt_key = no + +[req_dn] +CN = Dummy name for certificate request + +[ca_x509_ext_ee] +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always + +[ca_x509_ext_xcert0] +basicConstraints = critical,CA:true,pathlen:0 +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always + +[ca_x509_ext_xcert1] +basicConstraints = critical,CA:true,pathlen:1 +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always + +[ca_x509_ext_ca] +basicConstraints = critical,CA:true +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always + +[ca] +default_ca = ca +dir = ${ENV::BPKI_DIRECTORY} +new_certs_dir = $dir +database = $dir/index +certificate = $dir/ca.cer +private_key = $dir/ca.key +default_days = ${constants::cert_days} +default_crl_days = ${constants::crl_days} +default_md = ${constants::digest} +policy = ca_dn_policy +unique_subject = no +serial = $dir/serial +crlnumber = $dir/crl_number + +[ca_dn_policy] +countryName = optional +stateOrProvinceName = optional +localityName = optional +organizationName = optional +organizationalUnitName = optional +commonName = supplied +emailAddress = optional +givenName = optional +surname = optional + +[rootd_x509_extensions] basicConstraints = critical,CA:true subjectKeyIdentifier = hash keyUsage = critical,keyCertSign,cRLSign -subjectInfoAccess = 1.3.6.1.5.5.7.48.5;URI:rsync://localhost:4400/Me/,1.3.6.1.5.5.7.48.10;URI:rsync://localhost:4400/Me/root.mnf -sbgp-autonomousSysNum = critical,AS:0-4294967295 -sbgp-ipAddrBlock = critical,IPv4:0.0.0.0/0,IPv6:0::/0 -certificatePolicies = critical, @rpki_certificate_policy - -[rpki_certificate_policy] - -policyIdentifier = 1.3.6.1.5.5.7.14.2 +subjectInfoAccess = 1.3.6.1.5.5.7.48.5;URI:${rootd::root_cert_sia},1.3.6.1.5.5.7.48.10;URI:${rootd::root_cert_manifest} +sbgp-autonomousSysNum = critical,${rootd::root_cert_asns} +sbgp-ipAddrBlock = critical,${rootd::root_cert_addrs} +certificatePolicies = critical,1.3.6.1.5.5.7.14.2 |