################################################################ # # $Id: myrpki.conf 2722 2009-08-31 22:24:48Z sra $ # # Config file for myrpki.py and RPKI daemons. # # NB: This config file is read both by Python code and also by the # OpenSSL command line tool (running under mypki), so syntax must # remain compatable with both parsers, and there's a big chunk of # OpenSSL voodoo towards the end of this file. # ################################################################ [myrpki] # Handle naming hosted resource-holding entity () represented # by this myrpki instance. Syntax is an identifier (ASCII letters, # digits, hyphen, underscore -- no whitespace, non-ASCII characters, # or other punctuation). You need to set this. handle = Me # Names of various files and directories. Don't change these without # a good reason. roa_csv = roas.csv prefix_csv = prefixes.csv asn_csv = asns.csv xml_filename = myrpki.xml bpki_resources_directory = bpki/resources bpki_servers_directory = bpki/servers # Whether you want to run your own copy of rpkid (and irdbd). You # want this on unless somebody else is hosting rpkid service for you. run_rpkid = true # DNS hostname and server port numbers for rpkid and irdbd, if you're # running them. rpkid's server host has to be a publicly reachable # name to be useful; irdbd's server host should always be localhost # unless you really know what you are doing. Port numbers can be any # legal TCP port number that you're not using for something else. rpkid_server_host = rpkid.example.org rpkid_server_port = 4404 irdbd_server_host = localhost irdbd_server_port = 4403 # Whether you want to run your own copy of pubd. In general, it's # best to use your parent's pubd if you can, to reduce the overall # number of publication sites that relying parties need to check, so # don't enable this unless you have a good reason. run_pubd = false # DNS hostname and server port number for pubd, if you're running it. # Hostname has to be a publicly reachable name to be useful, port can # be any legal TCP port number that you're not using for something # else. pubd_server_host = pubd.example.org pubd_server_port = 4402 # Contact information to include in offers of repository service. # This only matters when we're running pubd. This should be a human # readable string, perhaps containing an email address or URL. pubd_contact_info = repo-man@rpki.example.org # Whether you want to run your very own copy of rootd. Don't enable # this unless you really know what you're doing. run_rootd = false # Server port number for rootd, if you're running it. This can be any # legal TCP port number that you're not using for something else. rootd_server_port = 4401 # Root of local directory tree where pubd (and rootd, sigh) should # write out published data. You need to configure this, and the # configuration should match up with the directory where you point # rsyncd. Neither pubd nor rsyncd much cares -where- you tell them to # put this stuff, the important thing is that the rsync:// URIs in # generated certificates match up with the published objects so that # relying parties can find and verify rpkid's published outputs. publication_base_directory = publication/ # rsyncd module name corresponding to publication_base_directory. # This has to match the module you configured into rsyncd.conf. # Leave this alone unless you have some need to change it. publication_rsync_module = rpki # Hostname and optional port number for rsync:// URIs. In most cases # this should just be the same value as pubd_server_host. publication_rsync_server = ${myrpki::pubd_server_host} # SQL configuration. You can ignore this if you're not running any of # the daemons yourself. # If you're comfortable with having all of the databases use the same # MySQL username and password, set those values here. It's ok to # leave the default username alone, but you should use a locally # generated password either here or in the individual settings below. shared_sql_username = rpki shared_sql_password = fnord # If you want different usernames and passwords for the separate SQL # databases, enter those settings here; the shared_sql_* settings are # only referenced here, so you can remove them entirely if you're # setting everything in this block. rpkid_sql_database = rpkid rpkid_sql_username = ${myrpki::shared_sql_username} rpkid_sql_password = ${myrpki::shared_sql_password} irdbd_sql_database = irdbd irdbd_sql_username = ${myrpki::shared_sql_username} irdbd_sql_password = ${myrpki::shared_sql_password} pubd_sql_database = pubd pubd_sql_username = ${myrpki::shared_sql_username} pubd_sql_password = ${myrpki::shared_sql_password} # Name of OpenSSL binary. You might need to change this if you have # no system copy installed, or if the system copy doesn't support CMS. # The copy of openssl built by this package should suffice. openssl = openssl # End of [myrpki] section ################################################################# # # In theory it should not be necessary to modify anything below this # point, at least not if you're within the boundaries of the # simplified configuration that the myrpki tool is intended to # support. If you do have to modify anything below this point, please # report it. # ################################################################# [rpkid] # MySQL database name, user name, and password for rpkid to use to # store its data. sql-database = ${myrpki::rpkid_sql_database} sql-username = ${myrpki::rpkid_sql_username} sql-password = ${myrpki::rpkid_sql_password} # Host and port on which rpkid should listen for HTTP service # requests. server-host = ${myrpki::rpkid_server_host} server-port = ${myrpki::rpkid_server_port} # HTTP service URL rpkid should use to contact irdbd. If irdbd is # running on the same machine as rpkid, this can and probably should # be a loopback URL, since nobody but rpkid needs to talk to irdbd. irdb-url = http://${myrpki::irdbd_server_host}:${myrpki::irdbd_server_port}/ # Where rpkid should look for BPKI certs and keys used in the # left-right protocol. The following values match where myirbe.py # will have placed things. Don't change these without a reason. bpki-ta = ${myrpki::bpki_servers_directory}/ca.cer rpkid-key = ${myrpki::bpki_servers_directory}/rpkid.key rpkid-cert = ${myrpki::bpki_servers_directory}/rpkid.cer irdb-cert = ${myrpki::bpki_servers_directory}/irdbd.cer irbe-cert = ${myrpki::bpki_servers_directory}/irbe.cer ################################################################# [irdbd] # MySQL database name, user name, and password for irdbd to use to # store its data. sql-database = ${myrpki::irdbd_sql_database} sql-username = ${myrpki::irdbd_sql_username} sql-password = ${myrpki::irdbd_sql_password} # HTTP service URL irdbd should listen on. This should match the # irdb-url parameter in the [rpkid] section; see comments there. http-url = http://${myrpki::irdbd_server_host}:${myrpki::irdbd_server_port}/ # Where irdbd should look for BPKI certs and keys used in the # left-right protocol. The following values match where myirbe.py # will have placed things. Don't change these without a reason. bpki-ta = ${myrpki::bpki_servers_directory}/ca.cer rpkid-cert = ${myrpki::bpki_servers_directory}/rpkid.cer irdbd-cert = ${myrpki::bpki_servers_directory}/irdbd.cer irdbd-key = ${myrpki::bpki_servers_directory}/irdbd.key ################################################################# [pubd] # MySQL database name, user name, and password for pubd to use to # store (some of) its data. sql-database = ${myrpki::pubd_sql_database} sql-username = ${myrpki::pubd_sql_username} sql-password = ${myrpki::pubd_sql_password} # Root of directory tree where pubd should write out published data. # You need to configure this, and the configuration should match up # with the directory where you point rsyncd. Neither pubd nor rsyncd # much cares -where- you tell them to put this stuff, the important # thing is that the rsync:// URIs in generated certificates match up # with the published objects so that relying parties can find and # verify rpkid's published outputs. publication-base = ${myrpki::publication_base_directory} # Host and port on which pubd should listen for HTTP service # requests. server-host = ${myrpki::pubd_server_host} server-port = ${myrpki::pubd_server_port} # Where pubd should look for BPKI certs and keys used in the # left-right protocol. The following values match where myirbe.py # will have placed things. Don't change these without a reason. bpki-ta = ${myrpki::bpki_servers_directory}/ca.cer pubd-cert = ${myrpki::bpki_servers_directory}/pubd.cer pubd-key = ${myrpki::bpki_servers_directory}/pubd.key irbe-cert = ${myrpki::bpki_servers_directory}/irbe.cer ################################################################# [irbe_cli] # HTTP service URL for rpkid rpkid-url = http://${myrpki::rpkid_server_host}:${myrpki::rpkid_server_port}/left-right/ # BPKI certificates and keys for talking to rpkid rpkid-bpki-ta = ${myrpki::bpki_servers_directory}/ca.cer rpkid-irbe-key = ${myrpki::bpki_servers_directory}/irbe.key rpkid-irbe-cert = ${myrpki::bpki_servers_directory}/irbe.cer rpkid-cert = ${myrpki::bpki_servers_directory}/rpkid.cer # HTTP service URL for pubd pubd-url = http://${myrpki::pubd_server_host}:${myrpki::pubd_server_port}/control/ # BPKI certificates and keys for talking to pubd pubd-bpki-ta = ${myrpki::bpki_servers_directory}/ca.cer pubd-irbe-key = ${myrpki::bpki_servers_directory}/irbe.key pubd-irbe-cert = ${myrpki::bpki_servers_directory}/irbe.cer pubd-cert = ${myrpki::bpki_servers_directory}/pubd.cer ################################################################# [rootd] # You don't need to run rootd unless you're IANA, are certifying # private address space, or are an RIR which refuses to accept IANA as # the root of the public address hierarchy. # # Ok, if that wasn't enough to scare you off: rootd is a kludge, and # needs to be rewritten, or, better, merged into rpkid. It does a # number of things wrong, and requires far too many configuration # parameters. You have been warned.... # BPKI certificates and keys for rootd bpki-ta = ${myrpki::bpki_servers_directory}/ca.cer rootd-bpki-crl = ${myrpki::bpki_servers_directory}/ca.crl rootd-bpki-cert = ${myrpki::bpki_servers_directory}/rootd.cer rootd-bpki-key = ${myrpki::bpki_servers_directory}/rootd.key child-bpki-cert = ${myrpki::bpki_servers_directory}/child.cer # Server port on which rootd should listen. server-port = ${myrpki::rootd_server_port} # Where rootd should write its output. Yes, rootd should be using # pubd instead of publishing directly, but it doesn't. rpki-root-dir = ${myrpki::publication_base_directory} # rsync URI for directory containing rootd's outputs rpki-base-uri = rsync://${myrpki::publication_rsync_server}/${myrpki::publication_rsync_module}/ # rsync URI for rootd's root (self-signed) RPKI certificate rpki-root-cert-uri = rsync://${myrpki::publication_rsync_server}/${myrpki::publication_rsync_module}/root.cer # Private key corresponding to rootd's root RPKI certificate rpki-root-key = ${myrpki::bpki_servers_directory}/ca.key # Filename (as opposed to rsync URI) of rootd's root RPKI certificate rpki-root-cert = ${myrpki::publication_base_directory}/root.cer # Where rootd should stash a copy of the PKCS #10 request it gets from # its one (and only) child rpki-subject-pkcs10 = rootd.subject.pkcs10 # Lifetime of the one and only certificate rootd issues rpki-subject-lifetime = 30d # Filename (relative to rootd-base-uri and rpki-root-dir) of the CRL # for rootd's root RPKI certificate rpki-root-crl = root.crl # Filename (relative to rootd-base-uri and rpki-root-dir) of the # manifest for rootd's root RPKI certificate rpki-root-manifest = root.mnf # Up-down protocol class name for RPKI certificate rootd issues to its # one (and only) child rpki-class-name = ${myrpki::handle} # Filename (relative to rootd-base-uri and rpki-root-dir) of the one # (and only) RPKI certificate rootd issues rpki-subject-cert = ${myrpki::handle}.cer # The last four paramters in this section are really parameters for # myirbe.py to use when constructing rootd's root RPKI certificate, # via an indirection hack in the OpenSSL voodoo portion of this file. # Don't ask why some of these are duplicated from other paramters in # this section, you don't want to know (really, you don't). # ASNs to include in rootd's root RPKI certificate, in openssl.conf format root_cert_asns = AS:0-4294967295 # IP addresses to include in rootd's root RPKI certificate, in # openssl.conf format root_cert_addrs = IPv4:0.0.0.0/0,IPv6:0::/0 # Whatever you put in rpki-base-uri, earlier in this section root_cert_sia = rsync://${myrpki::publication_rsync_server}/${myrpki::publication_rsync_module}/ # root_cert_sia + rpki-root-manifest root_cert_manifest = rsync://${myrpki::publication_rsync_server}/${myrpki::publication_rsync_module}/root.mnf ################################################################# # Constants for OpenSSL voodoo portion of this file, to make them # easier to find. [constants] # Digest algorithm. Don't change this. digest = sha256 # RSA key length. Don't change this. key_length = 2048 # Lifetime of BPKI certificates (and rootd RPKI root certificate). # Don't change this unless you know what you're doing. cert_days = 365 # Lifetime of BPKI CRLs. Don't change this unless you know what # you're doing. crl_days = 365 ################################################################# # The rest of this file is OpenSSL configuration voodoo. Don't touch # anything below here even if you -do- know what you're doing. Even # by OpenSSL standards, some of this is weird, and interacts in # non-obvious ways with code in myrpki.py and myirbe.py. If you touch # this stuff and something breaks, don't say you weren't warned. [req] default_bits = ${constants::key_length} default_md = ${constants::digest} distinguished_name = req_dn prompt = no encrypt_key = no [req_dn] CN = Dummy name for certificate request [ca_x509_ext_ee] subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always [ca_x509_ext_xcert0] basicConstraints = critical,CA:true,pathlen:0 subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always [ca_x509_ext_xcert1] basicConstraints = critical,CA:true,pathlen:1 subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always [ca_x509_ext_ca] basicConstraints = critical,CA:true subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always [ca] default_ca = ca dir = ${ENV::BPKI_DIRECTORY} new_certs_dir = $dir database = $dir/index certificate = $dir/ca.cer private_key = $dir/ca.key default_days = ${constants::cert_days} default_crl_days = ${constants::crl_days} default_md = ${constants::digest} policy = ca_dn_policy unique_subject = no serial = $dir/serial crlnumber = $dir/crl_number [ca_dn_policy] countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional givenName = optional surname = optional [rootd_x509_extensions] basicConstraints = critical,CA:true subjectKeyIdentifier = hash keyUsage = critical,keyCertSign,cRLSign subjectInfoAccess = 1.3.6.1.5.5.7.48.5;URI:${rootd::root_cert_sia},1.3.6.1.5.5.7.48.10;URI:${rootd::root_cert_manifest} sbgp-autonomousSysNum = critical,${rootd::root_cert_asns} sbgp-ipAddrBlock = critical,${rootd::root_cert_addrs} certificatePolicies = critical,1.3.6.1.5.5.7.14.2