aboutsummaryrefslogtreecommitdiff
path: root/doc/doc.RPKI.CA.Configuration.CreatingRoot
blob: 0a6c24a0b191b8d811917accec16f6c6ae5b0877 (plain) (blame) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69

****** Creating an RPKI Root Certificate ******

rootd does not create RPKI root certificates automatically. If you're running
your own root, you have to do this yourself. The usual method of doing this is
to use the OpenSSL command line tool. The exact details will depend on which
resources you need to put in the root certificate, the URIs for your
publication server, and so forth, but the general form looks something like
this:

  [req]
  default_bits            = 2048
  default_md              = sha256
  distinguished_name      = req_dn
  prompt                  = no
  encrypt_key             = no

  [req_dn]
  CN                      = Testbed RPKI root certificate

  [x509v3_extensions]
  basicConstraints        = critical,CA:true
  subjectKeyIdentifier    = hash
  keyUsage                = critical,keyCertSign,cRLSign
  subjectInfoAccess       = @sia
  certificatePolicies     = critical,1.3.6.1.5.5.7.14.2
  sbgp-autonomousSysNum   = critical,@rfc3779_asns
  sbgp-ipAddrBlock        = critical,@rfc3997_addrs

  [sia]
  1.3.6.1.5.5.7.48.5;URI  = rsync://example.org/rpki/root/
  1.3.6.1.5.5.7.48.10;URI = rsync://example.org/rpki/root/root.mft

  [rfc3779_asns]
  AS.0 = 64496-64511
  AS.1 = 65536-65551

  [rfc3997_addrs]
  IPv4.0 = 192.0.2.0/24
  IPv4.1 = 198.51.100.0/24
  IPv4.2 = 203.0.113.0/24
  IPv6.0 = 2001:0DB8::/32

Assuming you save this configuration in a file root.conf, you can use it to
generate a root certificate as follows:

  openssl req                     \
          -new                    \
          -x509                   \
          -newkey rsa:2048        \
          -config root.conf       \
          -keyout root.key        \
          -days 1825              \
          -outform DER            \
          -out root.cer           \
          -set_serial 1           \
          -extensions x509v3_extensions

You may want to shorten the five year expiration time (1825 days), which is a
bit long. It is a root certificate, so a long expiration is not unusual.

You must copy the generated root.cer to the publication directory as defined in
rpki.conf:

  rpki-root-cert          = ${myrpki::publication_base_directory}/root.cer

To create a TAL format trust anchor locator use the make-tal.sh script from
$top/rcynic:

  $top/rcynic/make-tal.sh  rsync://example.org/rpki/root/root.cer  root.cer
generated by cgit v1.2.3 (git 2.25.1) at 2025-05-11 13:40:24 +0000