1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
|
****** Creating an RPKI Root Certificate ******
rootd does not create RPKI root certificates automatically. If you're running
your own root, you have to do this yourself. The usual method of doing this is
to use the OpenSSL command line tool. The exact details will depend on which
resources you need to put in the root certificate, the URIs for your
publication server, and so forth, but the general form looks something like
this:
[req]
default_bits = 2048
default_md = sha256
distinguished_name = req_dn
prompt = no
encrypt_key = no
[req_dn]
CN = Testbed RPKI root certificate
[x509v3_extensions]
basicConstraints = critical,CA:true
subjectKeyIdentifier = hash
keyUsage = critical,keyCertSign,cRLSign
subjectInfoAccess = @sia
certificatePolicies = critical,1.3.6.1.5.5.7.14.2
sbgp-autonomousSysNum = critical,@rfc3779_asns
sbgp-ipAddrBlock = critical,@rfc3997_addrs
[sia]
1.3.6.1.5.5.7.48.5;URI = rsync://example.org/rpki/root/
1.3.6.1.5.5.7.48.10;URI = rsync://example.org/rpki/root/root.mft
[rfc3779_asns]
AS.0 = 64496-64511
AS.1 = 65536-65551
[rfc3997_addrs]
IPv4.0 = 192.0.2.0/24
IPv4.1 = 198.51.100.0/24
IPv4.2 = 203.0.113.0/24
IPv6.0 = 2001:0DB8::/32
Assuming you save this configuration in a file root.conf, you can use it to
generate a root certificate as follows:
openssl genrsa -out root.key 2048
openssl req \
-new \
-x509 \
-config root.conf \
-key root.key \
-out root.cer \
-outform DER \
-days 1825 \
-set_serial 1 \
-extensions x509v3_extensions
You may want to shorten the five year expiration time (1825 days), which is a
bit long. It is a root certificate, so a long expiration is not unusual.
When regenerating a certificate using the same key, just skip the openssl
genrsa step above.
You must copy the generated root.cer to the publication directory as defined in
rpki.conf:
rpki-root-cert = ${myrpki::publication_base_directory}/root.cer
You must place the generated root.key in a safe location where it is readable
by rootd but not accessible to the outside world, then you need to tell rootd
where to find it by setting the appropriate variable in rpki.conf. The
directory where the daemons keep their BPKI keys and certificates should be
suitable for this:
rpki-root-key = ${myrpki::bpki_servers_directory}/root.key
To create a TAL format trust anchor locator use the make-tal.sh script from
$top/rcynic:
$top/rcynic/make-tal.sh rsync://example.org/rpki/root/root.cer root.cer
***** Converting an existing RSA key from PKCS #8 format *****
If you previously generated a certificate using openssl req with the -newkey
option and are having difficulty getting rootd to accept the resulting private
key, the problem may be that OpenSSL saved the private key file in PKCS #8
format. OpenSSL's behavior changed here, the -newkey option saved the key in
PKCS #1 format, but newer versions use PKCS #8. While PKCS #8 is indeed likely
an improvement, the change confuses some programs, including versions of rootd
from before we discovered this problem.
If you think this might be your problem, you can convert the existing private
key to PKCS #1 format with a script like this:
if ! openssl rsa -in root.key -out root.key.new
then
echo Conversion failed
rm root.key.new
elif cmp -s root.key root.key.new
echo No change
rm root.key.new
else
echo Converted
mv root.key.new root.key
fi
|
