1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
|
****** The rpkic tool ******
rpkic is a command line interface to rpkid and pubd. It implements largely the
same functionality as the web interface. In most cases you will want to use the
web interface for normal operation, but rpkic is available if you need it.
rpkic can be run either in an interactive mode or by passing a single command
on the command line when starting the program; the former mode is intended to
be somewhat human-friendly, the latter mode is useful in scripting, cron jobs,
and automated testing.
Some rpkic commands write out data files, usually in the current directory.
rpkic uses the same system-wide rpki.conf file as the other CA tools as its
default configuration file.
rpkic includes a "help" command which provides inline help for its several
commands.
***** Selecting an identity *****
The handle variable in rpki.conf specifies the handle of the default identity
for an rpkic command, but this is just the default. rpkid can host an arbitrary
number of identities, and rpkic has to be able to control all of them.
When running rpkic interactively, use rpkic's "select_identity" command to set
the current identity handle.
When running rpkic with a single command on the command line, use the "-i" (or
"--identity") option to set the current identity handle.
***** rpkic in setup phase *****
See the introduction to the user interfaces for an overview of how setup phase
works. The general structure of the setup phase in rpkic is as described there,
but here we provide the specific commands involved. The following assumes that
you have already installed the software and started the servers.
* The rpkic "initialize" command writes out an "identity.xml" file in addition
to all of its other tasks.
* A parent who is using rpkic runs the "configure_child" command to configure
the child, giving this command the identity.xml file the child supplied as
input. configure_child will write out a response XML file, which the parent
sends back to the child.
* A child who is running rpkic runs the "configure_parent" command to process
the parent's response, giving it the XML file sent back by the parent as
input to this command. configure_parent will write out a publication request
XML file, which the child sents to the repository operator.
* A repository operator who is using rpkic runs the
"configure_publication_client" command to process a client's publication
request. configure_publication_client generates a confirmation XML message
which the repository operator sends back to the client.
* A publication client who is using rpkic runs the "configure_repository"
command to process the repository's response.
***** rpkic in data maintenance phase *****
rpkic uses whitespace-delimited text files (called ".csv files", for historical
reasons) to control issuance of addresses and autonomous sequence numbers to
children, and to control issuance of ROAs. See the "load_asns",
"load_prefixes", and "load_roa_requests" commands.
***** Maintaining child validity data *****
All resources issued to child entities are tagged with a validity date. If not
updated, these resources will eventually expire. rpkic includes two commands
for updating these validity dates:
* "renew_child" updates the validity date for a specific child.
* "renew_all_children" updates the validity date for all children.
***** BPKI maintenance *****
Certificates and CRLs in the BPKI have expiration dates and netUpdate dates, so
they need to be maintained. Failure to maintain these will eventually cause the
CA software to grind to a halt, as expired certificates will cause CMS
validation failures.
rpkic's "update_bpki" command takes care of this. Usually one will want to run
this periodically (perhaps once per month), under cron.
***** Forcing synchronization *****
Most rpkic commands synchronize the back end database with the daemons
automatically, so in general it should not be necessary to synchronize
manually. However, since these are separate databases, it is theoretically
possible for them to get out of synch, perhaps because something crashed at
exactly the wrong time.
rpkic's "synchronize" command runs a synchronization cycle with rpkid (if
run_rpkic is set) and pubd (if run_pubd is set).
|
