1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
|
****** rootd.conf ******
***** Caveat *****
rootd is, to be blunt about it, a mess. rootd was originally intended to be a
very simple program which simplified rpkid enormously by moving one specific
task (acting as the root CA of an RPKI certificate hierarchy) out of rpkid. As
the specifications and code (mostly the latter) have evolved, however, this
task has become more complicated, and rootd would have to become much more
complicated to keep up. In particular, rootd does not speak the publication
protocol, and requires far too many configuration parameters to work correctly.
rootd is still useful as a test tool, where its shortcomings are largely hidden
by automated generation of its configuration. Don't run rootd unless you're
sure that you need to do so.
OK, with that out of the way....
***** Configuration *****
rootd's default configuration file is the system rpki.conf file. Start rootd
with "-c filename" to choose a different configuration file. All options are in
the section "[rootd]". Certificates and keys may be in either DER or PEM
format.
Options:
bpki-ta::
Name of file containing BPKI trust anchor. All BPKI certificate
validation in rootd traces back to this trust anchor.
rootd-bpki-cert::
Name of file containing rootd's own BPKI certificate.
rootd-bpki-key::
Name of file containing RSA key corresponding to rootd-bpki-cert.
rootd-bpki-crl::
Name of file containing BPKI CRL that would cover rootd-bpki-cert had
it been revoked.
child-bpki-cert::
Name of file containing BPKI certificate for rootd's one and only
child (RPKI engine to which rootd issues an RPKI certificate).
server-host::
Hostname or IP address on which to listen for HTTP connections.
Default is localhost; don't change this unless you really know what
you are doing.
server-port::
TCP port on which to listen for HTTP connections.
rpki-root-key::
Name of file containing RSA key to use in signing resource
certificates.
rpki-root-cert::
Name of file containing self-signed RPKI certificate corresponding to
rpki-root-key.
rpki-root-dir::
Name of directory where rootd should write RPKI subject certificate,
manifest, and CRL. This needs to match pubd's configuration.
rpki-subject-cert::
Name of file that rootd should use to save the one and only
certificate it issues. Default is "Child.cer".
rpki-root-crl::
Name of file to which rootd should save its RPKI CRL. Default is
"Root.crl".
rpki-root-manifest::
Name of file to which rootd should save its RPKI manifest. Default is
"Root.mft".
rpki-subject-pkcs10::
Name of file that rootd should use when saving a copy of the received
PKCS #10 request for a resource certificate. Default is
"Child.pkcs10".
***** Creating a root certificate *****
rootd does not create the RPKI root certificate, you have to do that yourself.
The usual way of doing this is to use the OpenSSL command line tool. The exact
details will depend on which resources you want in the root certificate, the
URIs for your publication server, and so forth, but the general form looks
something like this:
[req]
default_bits = 2048
default_md = sha256
distinguished_name = req_dn
prompt = no
encrypt_key = no
[req_dn]
CN = Testbed RPKI root certificate
[x509v3_extensions]
basicConstraints = critical,CA:true
subjectKeyIdentifier = hash
keyUsage = critical,keyCertSign,cRLSign
subjectInfoAccess = @sia
certificatePolicies = critical,1.3.6.1.5.5.7.14.2
sbgp-autonomousSysNum = critical,@rfc3779_asns
sbgp-ipAddrBlock = critical,@rfc3997_addrs
[sia]
1.3.6.1.5.5.7.48.5;URI = rsync://example.org/rpki/
1.3.6.1.5.5.7.48.10;URI = rsync://example.org/rpki/root.mft
[rfc3779_asns]
AS.0 = 64496-64511
AS.1 = 65536-65551
[rfc3997_addrs]
IPv4.0 = 192.0.2.0/24
IPv4.1 = 198.51.100.0/24
IPv4.2 = 203.0.113.0/24
IPv6.0 = 2001:0DB8::/32
Assuming you save this configuration in a file "root.conf", you can use it to
generate a root certificate as follows:
$ openssl genrsa -out root.key 2048
$ openssl req -new -config root.conf -out root.req -key root.key
$ openssl x509 -req -sha256 \
-signkey root.key -in root.req \
-outform DER -out root.cer \
-extfile root.conf -extensions x509v3_extensions \
-days 1825
You may want to shorten the five year expire time (1825 days), which is a bit
long. It is a root certificate, so a longer expire is not unusual.
The generated root.cer must be copied to the publication directory as defined
in rpki.conf,
rpki-root-cert = ${myrpki::publication_base_directory}/
root.cer
To create a TAL format trust anchor locator use
$ $top/rcynic/make-tal.sh <rsync URI of root.cer> <local copy of root.cer>
|
