blob: 9dce309fd9932e95c699ae89f2628fcbe2a21178 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
|
****** rootd ******
rootd is a stripped down implmenetation of (only) the server side of the up-
down protocol.
It's a separate program because the root certificate of an RPKI certificate
tree requires special handling and may also require a special handling policy.
rootd is a simple implementation intended for test use, it's not suitable for
use in a production system. All configuration comes via the config file.
The default config file is rootd.conf, start rootd with "-c filename" to choose
a different config file. All options are in the section "[rootd]".
Certificates, keys, and trust anchors may be in either DER or PEM format.
Config file options:
* bpki-ta: Name of file containing BPKI trust anchor. All BPKI certificate
validation in rootd traces back to this trust anchor.
* rootd-bpki-cert: Name of file containing rootd's own BPKI certificate.
* rootd-bpki-key: Name of file containing RSA key corresponding to rootd-bpki-
cert.
* rootd-bpki-crl: Name of file containing BPKI CRL that would cover rootd-bpki-
cert had it been revoked.
* child-bpki-cert: Name of file containing BPKI certificate for rootd's one and
only child (RPKI engine to which rootd issues an RPKI certificate).
* server-host: Hostname or IP address on which to listen for HTTPS connections.
Default is localhost.
* server-port: TCP port on which to listen for HTTPS connections.
* rpki-root-key: Name of file containing RSA key to use in signing resource
certificates.
* rpki-root-cert: Name of file containing self-signed root resource certificate
corresponding to rpki-root-key.
* rpki-root-dir: Name of directory where rootd should write RPKI subject
certificate, manifest, and CRL.
* rpki-subject-cert: Name of file that rootd should use to save the one and
only certificate it issues. Default is "Subroot.cer".
* rpki-root-crl: Name of file to which rootd should save its RPKI CRL. Default
is "Root.crl".
* rpki-root-manifest: Name of file to which rootd should save its RPKI
manifest. Default is "Root.mnf".
* rpki-subject-pkcs10: Name of file that rootd should use when saving a copy of
the received PKCS #10 request for a resource certificate. This is only used
for debugging. Default is not to save the PKCS #10 request.
|
