The "`[myrpki]`" section contains all the parameters that you really need to configure. The name "`myrpki`" is historical and may change in the future. Every resource-holding or server-operating entity needs a "handle", which is just an identifier by which the entity calls itself. Handles do not need to be globally unique, but should be chosen with an eye towards debugging operational problems: it's best if you use a handle that your parents and children will recognize as being you. The "`handle`" option in the "`[myrpki]`" section specifies the default handle for this installation. Previous versions of the CA tools required a separate configuration file, each with its own handle setting, for each hosted entity. The current code allows the current handle to be selected at runtime in both the GUI and command line user interface tools, so the handle setting here is just the default when you don't set one explictly. In the long run, this option may go away entirely, but for now you need to set this. Syntax is an identifier (ASCII letters, digits, hyphen, underscore -- no whitespace, non-ASCII characters, or other punctuation). Directory for BPKI files generated by rpkic and used by rpkid and pubd. You will not normally need to change this. Whether you want to run your own copy of rpkid (and irdbd). Leave this alone unless you're doing something unusual like running a pubd-only installation. DNS hostname for rpkid. In most cases, this must resolve to a publicly-reachable address to be useful, as your RPKI children will need to contact your rpkid at this address. Server port number for rpkid. This can be any legal TCP port number that you're not using for something else. DNS hostname for irdbd, or "`localhost`". This should be "`localhost`" unless you really know what you are doing. Server port number for irdbd. This can be any legal TCP port number that you're not using for something else. Whether you want to run your own copy of pubd. In general, it's best to use your parent's pubd if your parent allows you to do so, because this will reduce the overall number of publication sites from which relying parties will need to retrieve data. However, not all parents offer publication service, or you may need to run pubd yourself for reliability reasons, or because you're certifying private address space or private Autonomous System Numbers. The out of band setup protocol will attempt to negotiate publication service for you with whatever publication service your parent is using, if it can and if you let it. DNS hostname for pubd, if you're running it. This must resolve to a publicly reachable address to be useful. Server port number for pubd. This can be any legal TCP port number that you're not using for something else. Contact information to include in offers of repository service. This only matters when you're running pubd. This should be a human readable string, perhaps containing an email address or URL. Whether you want to run your very own copy of rootd. Don't enable this unless you really know what you're doing. DNS hostname for rootd, if you're running it. This should be localhost unless you really know what you are doing. Server port number for rootd, if you're running it. This can be any legal TCP port number that you're not using for something else. Root of local directory tree where pubd should write out published data. You need to configure this, and the configuration should match up with the directory where you point rsyncd. Neither pubd nor rsyncd much cares //where// you tell it to put this stuff, the important thing is that the rsync URIs in generated certificates match up with the published objects so that relying parties can find and verify rpkid's published outputs. Root of local directory tree where rootd (sigh) should write out published data. This is just like publication_base_directory, but rootd is too dumb to use pubd and needs its own directory in which to write one certificate, one CRL, and one manifest. Neither rootd nor rsyncd much cares //where// you tell them to put this stuff, the important thing is that the rsync URIs in generated certificates match up with the published objects so that relying parties can find and verify rootd's published outputs. rsyncd module name corresponding to publication_base_directory. This has to match the module you configured into `rsyncd.conf`. Leave this alone unless you have some need to change it. rsyncd module name corresponding to publication_root_cert_directory. This has to match the module you configured into `rsyncd.conf`. Leave this alone unless you have some need to change it. Hostname and optional port number for rsync URIs. In most cases this should just be the same value as pubd_server_host. rpkid startup control. This should usually have the same value as run_rpkid: the only case where you would want to change this is when you are running the back-end code on a different machine from one or more of the daemons, in which case you need finer control over which daemons to start on which machines. In such cases, run_rpkid controls whether the back-end code is doing things to manage rpkid, while start_rpkid controls whether rpki-start-servers attempts to start rpkid on this machine. irdbd startup control. This should usually have the same value as run_rpkid: the only case where you would want to change this is when you are running the back-end code on a different machine from one or more of the daemons, in which case you need finer control over which daemons to start on which machines. In such cases, run_rpkid controls whether the back-end code is doing things to manage rpkid, while start_irdbd controls whether rpki-start-servers attempts to start irdbd on this machine. pubd startup control. This should usually have the same value as run_pubd: the only case where you would want to change this is when you are running the back-end code on a different machine from one or more of the daemons, in which case you need finer control over which daemons to start on which machines. In such cases, run_pubd controls whether the back-end code is doing things to manage pubd, while start_pubd controls whether rpki-start-servers attempts to start pubd on this machine. rootd startup control. This should usually have the same value as run_rootd: the only case where you would want to change this is when you are running the back-end code on a different machine from one or more of the daemons, in which case you need finer control over which daemons to start on which machines. In such cases, run_rootd controls whether the back-end code is doing things to manage rootd, while start_rootd controls whether rpki-start-servers attempts to start rootd on this machine. If you're comfortable with having all of the databases use the same MySQL username, set that value here. The default setting of this variable should be fine. If you're comfortable with having all of the databases use the same MySQL password, set that value here. You should use a locally generated password either here or in the individual settings below. The installation process generates a random value for this option, which satisfies this requirement, so ordinarily you should have no need to change this option. SQL database name for rpkid's database. The default setting of this variable should be fine. If you want to use a separate SQL username for rpkid's database, set it here. If you want to use a separate SQL password for rpkid's database, set it here. SQL database for irdbd's database. The default setting of this variable should be fine. If you want to use a separate SQL username for irdbd's database, set it here. If you want to use a separate SQL password for irdbd's database, set it here. SQL database name for pubd's database. The default setting of this variable should be fine. If you want to use a separate SQL username for pubd's database, set it here. If you want to use a separate SQL password for pubd's database, set it here.

rpkid's default config file is the system `rpki.conf` file. Start rpkid with "`-c filename`" to choose a different config file. All options are in the "`[rpkid]`" section. BPKI Certificates and keys may be in either DER or PEM format. MySQL database name for rpkid. MySQL user name for rpkid. MySQL password for rpkid. Host on which rpkid should listen for HTTP service requests. Port on which rpkid should listen for HTTP service requests. HTTP service URL rpkid should use to contact irdbd. If irdbd is running on the same machine as rpkid, this can and probably should be a loopback URL, since nobody but rpkid needs to talk to irdbd. Where rpkid should look for the BPKI trust anchor. All BPKI certificate verification within rpkid traces back to this trust anchor. Don't change this unless you really know what you are doing. Where rpkid should look for its own BPKI EE certificate. Don't change this unless you really know what you are doing. Where rpkid should look for the private key corresponding to its own BPKI EE certificate. Don't change this unless you really know what you are doing. Where rpkid should look for irdbd's BPKI EE certificate. Don't change this unless you really know what you are doing. Where rpkid should look for the back-end control client's BPKI EE certificate. Don't change this unless you really know what you are doing.

irdbd's default configuration file is the system `rpki.conf` file. Start irdbd with "`-c filename`" to choose a different configuration file. All options are in the "`[irdbd]`" section. Since irdbd is part of the back-end system, it has direct access to the back-end's SQL database, and thus is able to pull its own BPKI configuration directly from the database, and thus needs a bit less configuration than the other daemons. MySQL database name for irdbd. MySQL user name for irdbd. MySQL password for irdbd. Host on which irdbd should listen for HTTP service requests. Port on which irdbd should listen for HTTP service requests. String to log on startup, useful when debugging a collection of irdbd instances at once.

pubd's default configuration file is the system `rpki.conf` file. Start pubd with "`-c filename`" to choose a different configuration file. All options are in the "`[pubd]`" section. BPKI certificates and keys may be either DER or PEM format. MySQL database name for pubd. MySQL user name for pubd. MySQL password for pubd. Root of directory tree where pubd should write out published data. You need to configure this, and the configuration should match up with the directory where you point rsyncd. Neither pubd nor rsyncd much cares -where- you tell them to put this stuff, the important thing is that the rsync URIs in generated certificates match up with the published objects so that relying parties can find and verify rpkid's published outputs. Host on which pubd should listen for HTTP service requests. Port on which pubd should listen for HTTP service requests. Where pubd should look for the BPKI trust anchor. All BPKI certificate verification within pubd traces back to this trust anchor. Don't change this unless you really know what you are doing. Where pubd should look for its own BPKI EE certificate. Don't change this unless you really know what you are doing. Where pubd should look for the private key corresponding to its own BPKI EE certificate. Don't change this unless you really know what you are doing. Where pubd should look for the back-end control client's BPKI EE certificate. Don't change this unless you really know what you are doing.

You don't need to run rootd unless you're IANA, are certifying private address space, or are an RIR which refuses to accept IANA as the root of the public address hierarchy. Ok, if that wasn't enough to scare you off: rootd is a mess, and needs to be rewritten, or, better, merged into rpkid. It doesn't use the publication protocol, and it requires far too many configuration parameters. rootd was originally intended to be a very simple program which simplified rpkid enormously by moving one specific task (acting as the root CA of an RPKI certificate hierarchy) out of rpkid. As the specifications and code (mostly the latter) have evolved, however, this task has become more complicated, and rootd would have to become much more complicated to keep up. Don't run rootd unless you're sure that you need to do so. Still think you need to run rootd? OK, but remember, you have been warned.... rootd's default configuration file is the system `rpki.conf` file. Start rootd with "`-c filename`" to choose a different configuration file. All options are in the "`[rootd]`" section. Certificates and keys may be in either DER or PEM format. Where rootd should look for the BPKI trust anchor. All BPKI certificate verification within rootd traces back to this trust anchor. Don't change this unless you really know what you are doing. BPKI CRL. Don't change this unless you really know what you are doing. rootd's own BPKI EE certificate. Don't change this unless you really know what you are doing. Private key corresponding to rootd's own BPKI EE certificate. Don't change this unless you really know what you are doing. BPKI certificate for rootd's one and only up-down child (RPKI engine to which rootd issues an RPKI certificate). Don't change this unless you really know what you are doing. Server host on which rootd should listen. Server port on which rootd should listen. Where rootd should write its output. Yes, rootd should be using pubd instead of publishing directly, but it doesn't. This needs to match pubd's configuration. rsync URI corresponding to directory containing rootd's outputs. rsync URI for rootd's root (self-signed) RPKI certificate. Private key corresponding to rootd's root RPKI certificate. Filename (as opposed to rsync URI) of rootd's root RPKI certificate. Where rootd should stash a copy of the PKCS #10 request it gets from its one (and only) child Lifetime of the one and only RPKI certificate rootd issues. Filename (relative to rootd-base-uri and rpki-root-dir) of the CRL for rootd's root RPKI certificate. Filename (relative to rootd-base-uri and rpki-root-dir) of the manifest for rootd's root RPKI certificate. Up-down protocol class name for RPKI certificate rootd issues to its one (and only) child. Filename (relative to rootd-base-uri and rpki-root-dir) of the one (and only) RPKI certificate rootd issues.

Glue to allow the Django application to pull user configuration from this file rather than directly editing settings.py. SQL database name the web portal should use. SQL user name the web portal should use. SQL password the web portal should use. Site-specific secret key for Django. Name of virtual host that runs the Django GUI, if this is not the same as the system hostname. Django's security code wants to know the name of the virtual host on which Django is running, and will fail when it thinks it's running on a disallowed host. If you get an error like "Invalid HTTP_HOST header (you may need to set ALLOWED_HOSTS)", you will need to set this option.

rpki-confgen --autoconf records the current autoconf settings here, so that other options can refer to them. The section name "autoconf" is magic, don't change it. Usually /usr/bin or /usr/local/bin. Usually /usr/share or /usr/local/share. Usually /usr/sbin or /usr/local/sbin. Usually /etc or /usr/local/etc.