#!/usr/bin/env python """ Generate an RPKI root certificate for rootd. In most cases you should not need to do this; see caveats in the manual about running rootd if you think you need this. This script does nothing that can't also be done with the OpenSSL command line tool, but on some platforms the installed copy of openssl doesn't understand the RFC 3779 extensions. """ import os import sys import time import argparse import rpki.x509 import rpki.config import rpki.sundial import rpki.resource_set os.environ["TZ"] = "UTC" time.tzset() parser = argparse.ArgumentParser(description = __doc__) parser.add_argument("-c", "--config", help = "configuration file") parser.add_argument("-a", "--asns", default = "0-4294967295", help = "ASN resources") parser.add_argument("-4", "--ipv4", default = "0.0.0.0/0", help = "IPv4 resources") parser.add_argument("-6", "--ipv6", default = "::/0", help = "IPv6 resources") parser.add_argument("--certificate", default = "root.cer", help = "certificate file") parser.add_argument("--key", default = "root.key", help = "key file") parser.add_argument("--tal", default = "root.tal", help = "TAL file") args = parser.parse_args() cfg = rpki.config.parser(args.config, "rootd") resources = rpki.resource_set.resource_bag( asn = rpki.resource_set.resource_set_as(args.asns), v4 = rpki.resource_set.resource_set_ipv4(args.ipv4), v6 = rpki.resource_set.resource_set_ipv6(args.ipv6)) keypair = rpki.x509.RSA.generate(quiet = True) sia = cfg.get("rpki-base-uri") sia = (sia, sia + "root.mft", None) uri = cfg.get("rpki-root-cert-uri") cert = rpki.x509.X509.self_certify( keypair = keypair, subject_key = keypair.get_public(), serial = 1, sia = sia, notAfter = rpki.sundial.now() + rpki.sundial.timedelta(days = 365), resources = resources) with open(args.certificate, "wb") as f: f.write(cert.get_DER()) with open(args.key, "wb") as f: f.write(keypair.get_DER()) with open(args.tal, "w") as f: f.write(uri + "\n\n" + keypair.get_public().get_Base64())