The "`[myrpki]`" section contains all the parameters that you really need to configure. The name "`myrpki`" is historical and may change in the future. Every resource-holding or server-operating entity needs a "handle", which is just an identifier by which the entity calls itself. Handles do not need to be globally unique, but should be chosen with an eye towards debugging operational problems: it's best if you use a handle that your parents and children will recognize as being you. The "`handle`" option in the "`[myrpki]`" section specifies the default handle for this installation. Previous versions of the CA tools required a separate configuration file, each with its own handle setting, for each hosted entity. The current code allows the current handle to be selected at runtime in both the GUI and command line user interface tools, so the handle setting here is just the default when you don't set one explictly. In the long run, this option may go away entirely, but for now you need to set this. Syntax is an identifier (ASCII letters, digits, hyphen, underscore -- no whitespace, non-ASCII characters, or other punctuation). Directory for BPKI files generated by rpkic and used by rpkid and pubd. You will not normally need to change this. Whether you want to run your own copy of rpkid (and irdbd). Leave this alone unless you're doing something unusual like running a pubd-only installation. DNS hostname for rpkid. In most cases, this must resolve to a publicly-reachable address to be useful, as your RPKI children will need to contact your rpkid at this address. Server port number for rpkid. This can be any legal TCP port number that you're not using for something else. DNS hostname for irdbd, or "`localhost`". This should be "`localhost`" unless you really know what you are doing. Server port number for irdbd. This can be any legal TCP port number that you're not using for something else. Whether you want to run your own copy of pubd. In general, it's best to use your parent's pubd if your parent allows you to do so, because this will reduce the overall number of publication sites from which relying parties will need to retrieve data. However, not all parents offer publication service, or you may need to run pubd yourself for reliability reasons, or because you're certifying private address space or private Autonomous System Numbers. The out of band setup protocol will attempt to negotiate publication service for you with whatever publication service your parent is using, if it can and if you let it. DNS hostname for pubd, if you're running it. This must resolve to a publicly reachable address to be useful. Server port number for pubd. This can be any legal TCP port number that you're not using for something else. Contact information to include in offers of repository service. This only matters when you're running pubd. This should be a human readable string, perhaps containing an email address or URL. Whether you want to run your very own copy of rootd. Don't enable this unless you really know what you're doing. DNS hostname for rootd, if you're running it. This should be localhost unless you really know what you are doing. Server port number for rootd, if you're running it. This can be any legal TCP port number that you're not using for something else. Root of local directory tree where pubd should write out published data. You need to configure this, and the configuration should match up with the directory where you point rsyncd. Neither pubd nor rsyncd much cares //where// you tell it to put this stuff, the important thing is that the rsync URIs in generated certificates match up with the published objects so that relying parties can find and verify rpkid's published outputs. Root of local directory tree where pubd should write out RRDP files. You need to configure this, and the configuration should match up with the directory where you point the web server (usually Apache) that serves the RRDP files. Neither pubd nor Apache much cares //where// you tell it to put this stuff, the important thing is that all the URIs match up so that relying parties can find and verify rpkid's published outputs. rsyncd module name corresponding to publication_base_directory. This has to match the module you configured into `rsyncd.conf`. Leave this alone unless you have some need to change it. Hostname and optional port number for rsync URIs. In most cases this should just be the same value as pubd_server_host. Base URI for RRDP notification, snapshot, and delta files. In most cases this should be a HTTPS URL for the directory on the publication server where the notify.xml lives. URI for RRDP notification file. You shouldn't need to change this. rpkid startup control. This should usually have the same value as run_rpkid: the only case where you would want to change this is when you are running the back-end code on a different machine from one or more of the daemons, in which case you need finer control over which daemons to start on which machines. In such cases, run_rpkid controls whether the back-end code is doing things to manage rpkid, while start_rpkid controls whether rpki-start-servers attempts to start rpkid on this machine. irdbd startup control. This should usually have the same value as run_rpkid: the only case where you would want to change this is when you are running the back-end code on a different machine from one or more of the daemons, in which case you need finer control over which daemons to start on which machines. In such cases, run_rpkid controls whether the back-end code is doing things to manage rpkid, while start_irdbd controls whether rpki-start-servers attempts to start irdbd on this machine. pubd startup control. This should usually have the same value as run_pubd: the only case where you would want to change this is when you are running the back-end code on a different machine from one or more of the daemons, in which case you need finer control over which daemons to start on which machines. In such cases, run_pubd controls whether the back-end code is doing things to manage pubd, while start_pubd controls whether rpki-start-servers attempts to start pubd on this machine. rootd startup control. This should usually have the same value as run_rootd: the only case where you would want to change this is when you are running the back-end code on a different machine from one or more of the daemons, in which case you need finer control over which daemons to start on which machines. In such cases, run_rootd controls whether the back-end code is doing things to manage rootd, while start_rootd controls whether rpki-start-servers attempts to start rootd on this machine. Database engine to use. Default is MySQL, because that's what we've been using for years. Now that all runtime database access is via Django ORM, changing to another engine supported by Django is just a configuration issue. Current supported values are "mysql" (the default), "sqlite3", and "postgresql". In theory it should be straightforward to add support for any SQL engine Django supports. If you're comfortable with having all of the databases use the same SQL username, set that value here. The default setting of this variable should be fine. If you're comfortable with having all of the databases use the same SQL password, set that value here. You should use a locally generated password either here or in the individual settings below. The installation process generates a random value for this option, which satisfies this requirement, so ordinarily you should have no need to change this option. SQL engine to use for rcynic's database. The default setting of this variable should be fine. SQL database name for rcynic's database. The default setting of this variable should be fine. If you want to use a separate SQL username for rcynic's database, set it here. If you want to use a separate SQL password for rcynic's database, set it here. SQL engine to use for rpkid's database. The default setting of this variable should be fine. SQL database name for rpkid's database. The default setting of this variable should be fine. If you want to use a separate SQL username for rpkid's database, set it here. If you want to use a separate SQL password for rpkid's database, set it here. SQL engine to use for irdbd's database. The default setting of this variable should be fine. SQL database for irdbd's database. The default setting of this variable should be fine. If you want to use a separate SQL username for irdbd's database, set it here. If you want to use a separate SQL password for irdbd's database, set it here. SQL engine to use for pubd's database. The default setting of this variable should be fine. SQL database name for pubd's database. The default setting of this variable should be fine. If you want to use a separate SQL username for pubd's database, set it here. If you want to use a separate SQL password for pubd's database, set it here.

rcynicng, unlike it's predecessor, uses the same `rpki.conf` file as all the other programs in the RPKI toolkit. Start rcynicng with "`-c filename`" to choose a different configuration file. All options are in the "`[rcynic]`" section. This section isn't really fleshed out yet, and just contains the settings needed for the new SQL code to work. This will change as the stuff that's currently only configurable on rcynicng's command line becomes integrated with the configuration file. SQL engine for rcynic. SQL database name for rcynic. SQL user name for rcynic. SQL password for rcynic.

rpkid's default config file is the system `rpki.conf` file. Start rpkid with "`-c filename`" to choose a different config file. All options are in the "`[rpkid]`" section. BPKI Certificates and keys may be in either DER or PEM format. SQL engine for rpkid. SQL database name for rpkid. SQL user name for rpkid. SQL password for rpkid. Host on which rpkid should listen for HTTP service requests. Port on which rpkid should listen for HTTP service requests. HTTP service URL rpkid should use to contact irdbd. If irdbd is running on the same machine as rpkid, this can and probably should be a loopback URL, since nobody but rpkid needs to talk to irdbd. Where rpkid should look for the BPKI trust anchor. All BPKI certificate verification within rpkid traces back to this trust anchor. Don't change this unless you really know what you are doing. Where rpkid should look for its own BPKI EE certificate. Don't change this unless you really know what you are doing. Where rpkid should look for the private key corresponding to its own BPKI EE certificate. Don't change this unless you really know what you are doing. Where rpkid should look for irdbd's BPKI EE certificate. Don't change this unless you really know what you are doing. Where rpkid should look for the back-end control client's BPKI EE certificate. Don't change this unless you really know what you are doing.

irdbd's default configuration file is the system `rpki.conf` file. Start irdbd with "`-c filename`" to choose a different configuration file. All options are in the "`[irdbd]`" section. Since irdbd is part of the back-end system, it has direct access to the back-end's SQL database, and thus is able to pull its own BPKI configuration directly from the database, and thus needs a bit less configuration than the other daemons. SQL engine for irdbd. SQL database name for irdbd. SQL user name for irdbd. SQL password for irdbd. Host on which irdbd should listen for HTTP service requests. Port on which irdbd should listen for HTTP service requests. String to log on startup, useful when debugging a collection of irdbd instances at once.

pubd's default configuration file is the system `rpki.conf` file. Start pubd with "`-c filename`" to choose a different configuration file. All options are in the "`[pubd]`" section. BPKI certificates and keys may be either DER or PEM format. SQL engine for pubd. SQL database name for pubd. SQL user name for pubd. SQL password for pubd. Root of directory tree where pubd should write out published data. You need to configure this, and the configuration should match up with the directory where you point rsyncd. Neither pubd nor rsyncd much cares -where- you tell them to put this stuff, the important thing is that the rsync URIs in generated certificates match up with the published objects so that relying parties can find and verify rpkid's published outputs. Root of local directory tree where pubd should write out RRDP files. You need to configure this, and the configuration should match up with the directory where you point the web server (usually Apache) that serves the RRDP files. Neither pubd nor Apache much cares //where// you tell it to put this stuff, the important thing is that all the URIs match up so that relying parties can find and verify rpkid's published outputs. Host on which pubd should listen for HTTP service requests. Port on which pubd should listen for HTTP service requests. Where pubd should look for the BPKI trust anchor. All BPKI certificate verification within pubd traces back to this trust anchor. Don't change this unless you really know what you are doing. Where pubd should look for its own BPKI EE certificate. Don't change this unless you really know what you are doing. Where pubd should look for the private key corresponding to its own BPKI EE certificate. Don't change this unless you really know what you are doing. Where pubd should look for the CRL covering its own BPKI EE certificate. Don't change this unless you really know what you are doing. Where pubd should look for the back-end control client's BPKI EE certificate. Don't change this unless you really know what you are doing. RRDP base URI for naming snapshots and deltas.

You don't need to run rootd unless you're IANA, are certifying private address space, or are an RIR which refuses to accept IANA as the root of the public address hierarchy. Ok, if that wasn't enough to scare you off: rootd is a mess, needs to be rewritten, or, better, merged into rpkid, and requires far too many configuration parameters. rootd was originally intended to be a very simple program which simplified rpkid enormously by moving one specific task (acting as the root CA of an RPKI certificate hierarchy) out of rpkid. As the specifications and code (mostly the latter) have evolved, however, this task has become more complicated, and rootd would have to become much more complicated to keep up. Don't run rootd unless you're sure that you need to do so. Still think you need to run rootd? OK, but remember, you have been warned.... rootd's default configuration file is the system `rpki.conf` file. Start rootd with "`-c filename`" to choose a different configuration file. All options are in the "`[rootd]`" section. Certificates and keys may be in either DER or PEM format. Where rootd should look for the BPKI trust anchor. All BPKI certificate verification within rootd traces back to this trust anchor. Don't change this unless you really know what you are doing. BPKI CRL. Don't change this unless you really know what you are doing. rootd's own BPKI EE certificate. Don't change this unless you really know what you are doing. Private key corresponding to rootd's own BPKI EE certificate. Don't change this unless you really know what you are doing. BPKI certificate for rootd's one and only up-down child (RPKI engine to which rootd issues an RPKI certificate). Don't change this unless you really know what you are doing. BPKI certificate for pubd. Don't set this unless you really know what you are doing. Server host on which rootd should listen. Server port on which rootd should listen. Directory where rootd should store its RPKI data files. This is only used to construct other variables, rootd itself doesn't read it. rsync URI corresponding to directory containing rootd's outputs. This is only used to construct other variables, rootd itself doesn't read it. rsync URI for rootd's root (self-signed) RPKI certificate. Filename of rootd's root RPKI certificate. Private key corresponding to rootd's root RPKI certificate. URI of the CRL for rootd's root RPKI certificate. Filename of the CRL for rootd's root RPKI certificate. URI of the manifest for rootd's root RPKI certificate. Filename of the manifest for rootd's root RPKI certificate. Where rootd should stash a copy of the PKCS #10 request it gets from its one (and only) child Lifetime of the one and only RPKI certificate rootd issues. Up-down protocol class name for RPKI certificate rootd issues to its one (and only) child. URI of the one (and only) RPKI certificate rootd issues. Filename of the one (and only) RPKI certificate rootd issues. URI at which rootd should contact pubd for service. RRDP URI for inclusion in generated objects.

Glue to allow Django to pull user configuration from this file rather than requiring the user to edit settings.py. Site-specific secret key for Django. Name of virtual host that runs the Django GUI, if this is not the same as the system hostname. Django's security code wants to know the name of the virtual host on which Django is running, and will fail when it thinks it's running on a disallowed host. If you get an error like "Invalid HTTP_HOST header (you may need to set ALLOWED_HOSTS)", you will need to set this option. A directory large enough to hold the RouteViews.org routing table dump fetched by the rpkigui-import-routes script.

rpki-confgen --autoconf records the current autoconf settings here, so that other options can refer to them. The section name "autoconf" is magic, don't change it. Usually /usr/bin or /usr/local/bin. Usually /usr/share or /usr/local/share. Usually /usr/sbin or /usr/local/sbin. Usually /etc or /usr/local/etc.