1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
|
[[TracNav(doc/RPKI/TOC)]]
= Creating an RPKI Root Certificate =
[wiki:doc/RPKI/CA/Configuration/rootd rootd] does not create RPKI root
certificates automatically. If you're running your own root, you have
to do this yourself. The usual method of doing this is to use the
OpenSSL command line tool. The exact details will depend on which
resources you need to put in the root certificate, the URIs for your
publication server, and so forth, but the general form looks something
like this:
{{{
#!ini
[req]
default_bits = 2048
default_md = sha256
distinguished_name = req_dn
prompt = no
encrypt_key = no
[req_dn]
CN = Testbed RPKI root certificate
[x509v3_extensions]
basicConstraints = critical,CA:true
subjectKeyIdentifier = hash
keyUsage = critical,keyCertSign,cRLSign
subjectInfoAccess = @sia
certificatePolicies = critical,1.3.6.1.5.5.7.14.2
sbgp-autonomousSysNum = critical,@rfc3779_asns
sbgp-ipAddrBlock = critical,@rfc3997_addrs
[sia]
1.3.6.1.5.5.7.48.5;URI = rsync://example.org/rpki/root/
1.3.6.1.5.5.7.48.10;URI = rsync://example.org/rpki/root/root.mft
[rfc3779_asns]
AS.0 = 64496-64511
AS.1 = 65536-65551
[rfc3997_addrs]
IPv4.0 = 192.0.2.0/24
IPv4.1 = 198.51.100.0/24
IPv4.2 = 203.0.113.0/24
IPv6.0 = 2001:0DB8::/32
}}}
Assuming you save this configuration in a file `root.conf`, you can
use it to generate a root certificate as follows:
{{{
#!sh
#!/bin/sh -
# Generate the root key if it doesn't already exist.
test -f root.key ||
openssl genrsa -out root.key 2048
# Generate the root certificate.
openssl req \
-new \
-x509 \
-config root.conf \
-key root.key \
-out root.cer \
-outform DER \
-days 1825 \
-set_serial 1 \
-extensions x509v3_extensions
}}}
You may want to shorten the five year expiration time (1825 days),
which is a bit long. It is a root certificate, so a long expiration
is not unusual.
When regenerating a certificate using the same key, just skip the
`openssl genrsa` step above.
You must copy the generated root.cer to the publication directory as
defined in rpki.conf:
{{{
rpki-root-cert = ${myrpki::publication_base_directory}/root.cer
}}}
You must place the generated root.key in a safe location where it is
readable by rootd but not accessible to the outside world, then you
need to tell rootd where to find it by setting the appropriate
variable in rpki.conf. The directory where the daemons keep their
BPKI keys and certificates should be suitable for this:
{{{
rpki-root-key = ${myrpki::bpki_servers_directory}/root.key
}}}
To create a TAL format trust anchor locator use the `make-tal.sh`
script from `$top/rp/rcynic`:
{{{
#!sh
$top/rp/rcynic/make-tal.sh rsync://example.org/rpki/root/root.cer root.cer
}}}
Note that, like any certificate, the root.cer you just generated will
expire eventually. Either you need to remember to regenerate it
before that happens, or you need to set up a cron job to do that for
you automatically. Running the above shell script (really, just the
`openssl req` command) should suffice to regenerate `root.cer`;
remember to copy the updated `root.cer` to the publication directory.
Regenerating the certificate does not require regenerating the TAL
unless you change the key or URL.
== Converting an existing RSA key from PKCS !#8 format ==
If you previously generated a certificate using `openssl req` with the
`-newkey` option and are having difficulty getting `rootd` to accept
the resulting private key, the problem may be that OpenSSL saved the
private key file in PKCS !#8 format. OpenSSL's behavior changed here,
the `-newkey` option saved the key in PKCS !#1 format, but newer
versions use PKCS !#8. While PKCS !#8 is indeed likely an
improvement, the change confuses some programs, including versions
of `rootd` from before we discovered this problem.
If you think this might be your problem, you can convert the existing
private key to PKCS !#1 format with a script like this:
{{{
#!sh
if ! openssl rsa -in root.key -out root.key.new
then
echo Conversion failed
rm root.key.new
elif cmp -s root.key root.key.new
echo No change
rm root.key.new
else
echo Converted
mv root.key.new root.key
fi
}}}
|
