The "`[myrpki]`" section contains all the parameters that you really need to configure. The name "`myrpki`" is historical and may change in the future. Every resource-holding or server-operating entity needs a "handle", which is just an identifier by which the entity calls itself. Handles do not need to be globally unique, but should be chosen with an eye towards debugging operational problems: it's best if you use a handle that your parents and children will recognize as being you. The "`handle`" option in the "`[myrpki]`" section specifies the default handle for this installation. Previous versions of the CA tools required a separate configuration file, each with its own handle setting, for each hosted entity. The current code allows the current handle to be selected at runtime in both the GUI and command line user interface tools, so the handle setting here is just the default when you don't set one explictly. In the long run, this option may go away entirely, but for now you need to set this. Syntax is an identifier (ASCII letters, digits, hyphen, underscore -- no whitespace, non-ASCII characters, or other punctuation). Directory for BPKI files generated by rpkic and used by rpkid and pubd. You will not normally need to change this. Whether you want to run your own copy of rpkid (and irdbd). Leave this alone unless you're doing something unusual like running a pubd-only installation. DNS hostname for rpkid. In most cases, this must resolve to a publicly-reachable address to be useful, as your RPKI children will need to contact your rpkid at this address. Server port number for rpkid. This can be any legal TCP port number that you're not using for something else. DNS hostname for irdbd, or "`localhost`". This should be "`localhost`" unless you really know what you are doing. Server port number for irdbd. This can be any legal TCP port number that you're not using for something else. Whether you want to run your own copy of pubd. In general, it's best to use your parent's pubd if your parent allows you to do so, because this will reduce the overall number of publication sites from which relying parties will need to retrieve data. However, not all parents offer publication service, or you may need to run pubd yourself for reliability reasons, or because you're certifying private address space or private Autonomous System Numbers. The out of band setup protocol will attempt to negotiate publication service for you with whatever publication service your parent is using, if it can and if you let it. DNS hostname for pubd, if you're running it. This must resolve to a publicly reachable address to be useful. Server port number for pubd. This can be any legal TCP port number that you're not using for something else. Contact information to include in offers of repository service. This only matters when you're running pubd. This should be a human readable string, perhaps containing an email address or URL. Root of local directory tree where pubd should write out published data. You need to configure this, and the configuration should match up with the directory where you point rsyncd. Neither pubd nor rsyncd much cares //where// you tell it to put this stuff, the important thing is that the rsync URIs in generated certificates match up with the published objects so that relying parties can find and verify rpkid's published outputs. Root of local directory tree where pubd should write out RRDP files. You need to configure this, and the configuration should match up with the directory where you point the web server (usually Apache) that serves the RRDP files. Neither pubd nor Apache much cares //where// you tell it to put this stuff, the important thing is that all the URIs match up so that relying parties can find and verify rpkid's published outputs. rsyncd module name corresponding to publication_base_directory. This has to match the module you configured into `rsyncd.conf`. Leave this alone unless you have some need to change it. Hostname and optional port number for rsync URIs. In most cases this should just be the same value as pubd_server_host. Base URI for RRDP notification, snapshot, and delta files. In most cases this should be a HTTPS URL for the directory on the publication server where the notify.xml lives. URI for RRDP notification file. You shouldn't need to change this. rpkid startup control. This should usually have the same value as run_rpkid: the only case where you would want to change this is when you are running the back-end code on a different machine from one or more of the daemons, in which case you need finer control over which daemons to start on which machines. In such cases, run_rpkid controls whether the back-end code is doing things to manage rpkid, while start_rpkid controls whether rpki-start-servers attempts to start rpkid on this machine. irdbd startup control. This should usually have the same value as run_rpkid: the only case where you would want to change this is when you are running the back-end code on a different machine from one or more of the daemons, in which case you need finer control over which daemons to start on which machines. In such cases, run_rpkid controls whether the back-end code is doing things to manage rpkid, while start_irdbd controls whether rpki-start-servers attempts to start irdbd on this machine. pubd startup control. This should usually have the same value as run_pubd: the only case where you would want to change this is when you are running the back-end code on a different machine from one or more of the daemons, in which case you need finer control over which daemons to start on which machines. In such cases, run_pubd controls whether the back-end code is doing things to manage pubd, while start_pubd controls whether rpki-start-servers attempts to start pubd on this machine. Database engine to use. Default is MySQL, because that's what we've been using for years. Now that all runtime database access is via Django ORM, changing to another engine supported by Django is just a configuration issue. Current supported values are "mysql" (the default), "sqlite3", and "postgresql". In theory it should be straightforward to add support for any SQL engine Django supports. If you're comfortable with having all of the databases use the same SQL username, set that value here. The default setting of this variable should be fine. If you're comfortable with having all of the databases use the same SQL password, set that value here. You should use a locally generated password either here or in the individual settings below. The installation process generates a random value for this option, which satisfies this requirement, so ordinarily you should have no need to change this option. SQL engine to use for rcynic's database. The default setting of this variable should be fine. SQL database name for rcynic's database. The default setting of this variable should be fine. If you want to use a separate SQL username for rcynic's database, set it here. If you want to use a separate SQL password for rcynic's database, set it here. SQL engine to use for rpkid's database. The default setting of this variable should be fine. SQL database name for rpkid's database. The default setting of this variable should be fine. If you want to use a separate SQL username for rpkid's database, set it here. If you want to use a separate SQL password for rpkid's database, set it here. SQL engine to use for irdbd's database. The default setting of this variable should be fine. SQL database for irdbd's database. The default setting of this variable should be fine. If you want to use a separate SQL username for irdbd's database, set it here. If you want to use a separate SQL password for irdbd's database, set it here. SQL engine to use for pubd's database. The default setting of this variable should be fine. SQL database name for pubd's database. The default setting of this variable should be fine. If you want to use a separate SQL username for pubd's database, set it here. If you want to use a separate SQL password for pubd's database, set it here. Default logging mechanism, can be "file", "syslog", "stderr", or "stdout". Where to write log files when logging to files. Default logging level. Interval between log file rotations, in hours. Set to zero to disable automatic rotations. How many old logs to keep before deleting.

rcynicng, unlike it's predecessor, uses the same `rpki.conf` file as all the other programs in the RPKI toolkit. Start rcynicng with "`-c filename`" to choose a different configuration file. All options are in the "`[rcynic]`" section. SQL engine for rcynic. SQL database name for rcynic. SQL user name for rcynic. SQL password for rcynic. Logging mechanism, can be "file", "syslog", "stderr", or "stdout". Where to write log file when logging to a file. Default logging level. Interval between log file rotations, in hours. Set to zero to disable automatic rotations. How many old logs to keep before deleting.

rpkid's default config file is the system `rpki.conf` file. Start rpkid with "`-c filename`" to choose a different config file. All options are in the "`[rpkid]`" section. BPKI Certificates and keys may be in either DER or PEM format. SQL engine for rpkid. SQL database name for rpkid. SQL user name for rpkid. SQL password for rpkid. Host on which rpkid should listen for HTTP service requests. Port on which rpkid should listen for HTTP service requests. HTTP service URL rpkid should use to contact irdbd. If irdbd is running on the same machine as rpkid, this can and probably should be a loopback URL, since nobody but rpkid needs to talk to irdbd. Where rpkid should look for the BPKI trust anchor. All BPKI certificate verification within rpkid traces back to this trust anchor. Don't change this unless you really know what you are doing. Where rpkid should look for its own BPKI EE certificate. Don't change this unless you really know what you are doing. Where rpkid should look for the private key corresponding to its own BPKI EE certificate. Don't change this unless you really know what you are doing. Where rpkid should look for irdbd's BPKI EE certificate. Don't change this unless you really know what you are doing. Where rpkid should look for the back-end control client's BPKI EE certificate. Don't change this unless you really know what you are doing. Logging mechanism, can be "file", "syslog", "stderr", or "stdout". Where to write log file when logging to a file. Default logging level. Interval between log file rotations, in hours. Set to zero to disable automatic rotations. How many old logs to keep before deleting.

irdbd's default configuration file is the system `rpki.conf` file. Start irdbd with "`-c filename`" to choose a different configuration file. All options are in the "`[irdbd]`" section. Since irdbd is part of the back-end system, it has direct access to the back-end's SQL database, and thus is able to pull its own BPKI configuration directly from the database, and thus needs a bit less configuration than the other daemons. SQL engine for irdbd. SQL database name for irdbd. SQL user name for irdbd. SQL password for irdbd. Host on which irdbd should listen for HTTP service requests. Port on which irdbd should listen for HTTP service requests. String to log on startup, useful when debugging a collection of irdbd instances at once. Logging mechanism, can be "file", "syslog", "stderr", or "stdout". Where to write log file when logging to a file. Default logging level. Interval between log file rotations, in hours. Set to zero to disable automatic rotations. How many old logs to keep before deleting.

pubd's default configuration file is the system `rpki.conf` file. Start pubd with "`-c filename`" to choose a different configuration file. All options are in the "`[pubd]`" section. BPKI certificates and keys may be either DER or PEM format. SQL engine for pubd. SQL database name for pubd. SQL user name for pubd. SQL password for pubd. Root of directory tree where pubd should write out published data. You need to configure this, and the configuration should match up with the directory where you point rsyncd. Neither pubd nor rsyncd much cares -where- you tell them to put this stuff, the important thing is that the rsync URIs in generated certificates match up with the published objects so that relying parties can find and verify rpkid's published outputs. Root of local directory tree where pubd should write out RRDP files. You need to configure this, and the configuration should match up with the directory where you point the web server (usually Apache) that serves the RRDP files. Neither pubd nor Apache much cares //where// you tell it to put this stuff, the important thing is that all the URIs match up so that relying parties can find and verify rpkid's published outputs. Host on which pubd should listen for HTTP service requests. Port on which pubd should listen for HTTP service requests. Where pubd should look for the BPKI trust anchor. All BPKI certificate verification within pubd traces back to this trust anchor. Don't change this unless you really know what you are doing. Where pubd should look for its own BPKI EE certificate. Don't change this unless you really know what you are doing. Where pubd should look for the private key corresponding to its own BPKI EE certificate. Don't change this unless you really know what you are doing. Where pubd should look for the CRL covering its own BPKI EE certificate. Don't change this unless you really know what you are doing. Where pubd should look for the back-end control client's BPKI EE certificate. Don't change this unless you really know what you are doing. RRDP base URI for naming snapshots and deltas. Logging mechanism, can be "file", "syslog", "stderr", or "stdout". Where to write log file when logging to a file. Default logging level. Interval between log file rotations, in hours. Set to zero to disable automatic rotations. How many old logs to keep before deleting.

Logging mechanism, can be "file", "syslog", "stderr", or "stdout". Where to write log file when logging to a file. Default logging level. Interval between log file rotations, in hours. Set to zero to disable automatic rotations. How many old logs to keep before deleting.

Glue to allow Django to pull user configuration from this file rather than requiring the user to edit settings.py. Site-specific secret key for Django. Name of virtual host that runs the Django GUI, if this is not the same as the system hostname. Django's security code wants to know the name of the virtual host on which Django is running, and will fail when it thinks it's running on a disallowed host. If you get an error like "Invalid HTTP_HOST header (you may need to set ALLOWED_HOSTS)", you will need to set this option. A directory large enough to hold the RouteViews.org routing table dump fetched by the rpkigui-import-routes script. Default logging level for the web portal.

Configuration for the rpkigui-import-routes auxillary script. Select the input format. Valid input types are 'text' for 'sh ip bgp' format, and 'mrt' for MRT. Path to the bgpdump command line utility, used for importing MRT format files. Sleep for a random amount of seconds between 0 and this value before starting the download. Path to use for the lockfile to prevent multiple executions. How long in seconds to wait for the download to complete before aborting. Specify where to fetch the route dump. May be a filename or URL. Where to store local copy of route dump when 'filename' is a URL. Logging mechanism, can be "file", "syslog", "stderr", or "stdout". Where to write log file when logging to a file. Default logging level. Interval between log file rotations, in hours. Set to zero to disable automatic rotations. How many old logs to keep before deleting.

rpki-confgen --autoconf records the current autoconf settings here, so that other options can refer to them. The section name "autoconf" is magic, don't change it. Usually /usr/bin or /usr/local/bin. Usually /usr/share or /usr/local/share. Usually /usr/sbin or /usr/local/sbin. Usually /etc or /usr/local/etc.