path: root/rpkid/examples/rpki.conf

################################################################
#
# $Id$
#
# Config file for myrpki.py and RPKI daemons.
#
# NB: This config file is read both by Python code and also by the
# OpenSSL command line tool (running under mypki), so syntax must
# remain compatable with both parsers, and there's a big chunk of
# OpenSSL voodoo towards the end of this file.
#
################################################################

[myrpki]

# Handle naming hosted resource-holding entity (<self/>) represented
# by this myrpki instance.  Syntax is an identifier (ASCII letters,
# digits, hyphen, underscore -- no whitespace, non-ASCII characters,
# or other punctuation).  You need to set this.

handle				= Me

# Directory for BPKI files generated by rpkic and used by rpkid and pubd.
# Default is where we expect autoconf to decide that our data files
# belong, you might want or need to change this.   In the long term
# this should be handled by a setup wizard.

bpki_servers_directory		= /usr/local/share/rpki

# Whether you want to run your own copy of rpkid (and irdbd).  You
# want this on unless somebody else is hosting rpkid service for you.

run_rpkid                      = true

# DNS hostname and server port numbers for rpkid and irdbd, if you're
# running them.  rpkid's server host has to be a publicly reachable
# name to be useful; irdbd's server host should always be localhost
# unless you really know what you are doing.  Port numbers can be any
# legal TCP port number that you're not using for something else.

rpkid_server_host     		= rpkid.example.org
rpkid_server_port     		= 4404
irdbd_server_host		= localhost
irdbd_server_port		= 4403

# Whether you want to run your own copy of pubd.  In general, it's
# best to use your parent's pubd if you can, to reduce the overall
# number of publication sites that relying parties need to check, so
# don't enable this unless you have a good reason.

run_pubd			= false

# DNS hostname and server port number for pubd, if you're running it.
# Hostname has to be a publicly reachable name to be useful, port can
# be any legal TCP port number that you're not using for something
# else.

pubd_server_host             	= pubd.example.org
pubd_server_port             	= 4402

# Contact information to include in offers of repository service.
# This only matters when we're running pubd.  This should be a human
# readable string, perhaps containing an email address or URL.

pubd_contact_info		= repo-man@rpki.example.org

# Whether you want to run your very own copy of rootd.  Don't enable
# this unless you really know what you're doing.

run_rootd			= false

# Server port number for rootd, if you're running it.  This can be any
# legal TCP port number that you're not using for something else.

rootd_server_port		= 4401

# Root of local directory tree where pubd (and rootd, sigh) should
# write out published data.  You need to configure this, and the
# configuration should match up with the directory where you point
# rsyncd.  Neither pubd nor rsyncd much cares -where- you tell them to
# put this stuff, the important thing is that the rsync:// URIs in
# generated certificates match up with the published objects so that
# relying parties can find and verify rpkid's published outputs.

publication_base_directory     	= publication
publication_root_cert_directory	= ${myrpki::publication_base_directory}.root

# rsyncd module name corresponding to publication_base_directory.
# This has to match the module you configured into rsyncd.conf.
# Leave this alone unless you have some need to change it.

publication_rsync_module	= rpki

# rsyncd module name corresponding to publication_root_cert_directory.
# This has to match the module you configured into rsyncd.conf.
# Leave this alone unless you have some need to change it.

publication_root_module		= root

# Hostname and optional port number for rsync:// URIs.  In most cases
# this should just be the same value as pubd_server_host.

publication_rsync_server	= ${myrpki::pubd_server_host}

# Startup control.  These all default to the values of the
# corresponding run_* options, to keep things simple.  The only case
# where you would want to change these is when you are running the
# back-end code on a different machine from one or more of the
# daemons, in which case you need finer control over which daemons to
# start on which machines.  In such cases, "run_*" controls whether
# the back-end code is doing things to manage the daemon in question,
# while "start_*" controls whether rpki-start-servers attempts to
# start the daemon in question.

start_rpkid			= ${myrpki::run_rpkid}
start_irdbd			= ${myrpki::run_rpkid}
start_pubd			= ${myrpki::run_pubd}
start_rootd			= ${myrpki::run_rootd}

# SQL configuration.  You can ignore this if you're not running any of
# the daemons yourself.

# If you're comfortable with having all of the databases use the same
# MySQL username and password, set those values here.  It's ok to
# leave the default username alone, but you should use a locally
# generated password either here or in the individual settings below.

shared_sql_username		= rpki
shared_sql_password		= fnord

# If you want different usernames and passwords for the separate SQL
# databases, enter those settings here; the shared_sql_* settings are
# only referenced here, so you can remove them entirely if you're
# setting everything in this block.

rpkid_sql_database		= rpkid
rpkid_sql_username		= ${myrpki::shared_sql_username}
rpkid_sql_password		= ${myrpki::shared_sql_password}

irdbd_sql_database		= irdbd
irdbd_sql_username		= ${myrpki::shared_sql_username}
irdbd_sql_password		= ${myrpki::shared_sql_password}

pubd_sql_database		= pubd
pubd_sql_username		= ${myrpki::shared_sql_username}
pubd_sql_password		= ${myrpki::shared_sql_password}

# End of [myrpki] section

#################################################################
#
# In theory it should not be necessary to modify anything below this
# point, at least not if you're within the boundaries of the
# simplified configuration that the myrpki tool is intended to
# support.  If you do have to modify anything below this point, please
# report it.
#
#################################################################

[rpkid]

# MySQL database name, user name, and password for rpkid to use to
# store its data.

sql-database			= ${myrpki::rpkid_sql_database}
sql-username			= ${myrpki::rpkid_sql_username}
sql-password    		= ${myrpki::rpkid_sql_password}

# Host and port on which rpkid should listen for HTTP service
# requests.

server-host     		= ${myrpki::rpkid_server_host}
server-port     		= ${myrpki::rpkid_server_port}

# HTTP service URL rpkid should use to contact irdbd.  If irdbd is
# running on the same machine as rpkid, this can and probably should
# be a loopback URL, since nobody but rpkid needs to talk to irdbd.

irdb-url        		= http://${myrpki::irdbd_server_host}:${myrpki::irdbd_server_port}/

# Where rpkid should look for BPKI certs and keys used in the
# left-right protocol.  The following values match where myirbe.py
# will have placed things.  Don't change these without a reason.

bpki-ta         		= ${myrpki::bpki_servers_directory}/ca.cer
rpkid-key       		= ${myrpki::bpki_servers_directory}/rpkid.key
rpkid-cert      		= ${myrpki::bpki_servers_directory}/rpkid.cer
irdb-cert       		= ${myrpki::bpki_servers_directory}/irdbd.cer
irbe-cert       		= ${myrpki::bpki_servers_directory}/irbe.cer

#################################################################

[irdbd]

# MySQL database name, user name, and password for irdbd to use to
# store its data.

sql-database			= ${myrpki::irdbd_sql_database}
sql-username			= ${myrpki::irdbd_sql_username}
sql-password    		= ${myrpki::irdbd_sql_password}

# HTTP service URL irdbd should listen on.  This should match the
# irdb-url parameter in the [rpkid] section; see comments there.

http-url			= http://${myrpki::irdbd_server_host}:${myrpki::irdbd_server_port}/

# Where irdbd should look for BPKI certs and keys used in the
# left-right protocol.  The following values match where myirbe.py
# will have placed things.  Don't change these without a reason.

bpki-ta         		= ${myrpki::bpki_servers_directory}/ca.cer
rpkid-cert      		= ${myrpki::bpki_servers_directory}/rpkid.cer
irdbd-cert      		= ${myrpki::bpki_servers_directory}/irdbd.cer
irdbd-key       		= ${myrpki::bpki_servers_directory}/irdbd.key

#################################################################

[pubd]

# MySQL database name, user name, and password for pubd to use to
# store (some of) its data.

sql-database			= ${myrpki::pubd_sql_database}
sql-username			= ${myrpki::pubd_sql_username}
sql-password    		= ${myrpki::pubd_sql_password}

# Root of directory tree where pubd should write out published data.
# You need to configure this, and the configuration should match up
# with the directory where you point rsyncd.  Neither pubd nor rsyncd
# much cares -where- you tell them to put this stuff, the important
# thing is that the rsync:// URIs in generated certificates match up
# with the published objects so that relying parties can find and
# verify rpkid's published outputs.

publication-base        	= ${myrpki::publication_base_directory}

# Host and port on which pubd should listen for HTTP service
# requests.

server-host             	= ${myrpki::pubd_server_host}
server-port             	= ${myrpki::pubd_server_port}

# Where pubd should look for BPKI certs and keys used in the
# left-right protocol.  The following values match where myirbe.py
# will have placed things.  Don't change these without a reason.

bpki-ta                 	= ${myrpki::bpki_servers_directory}/ca.cer
pubd-cert               	= ${myrpki::bpki_servers_directory}/pubd.cer
pubd-key                	= ${myrpki::bpki_servers_directory}/pubd.key
irbe-cert               	= ${myrpki::bpki_servers_directory}/irbe.cer

#################################################################

[irbe_cli]

# HTTP service URL for rpkid

rpkid-url                       = http://${myrpki::rpkid_server_host}:${myrpki::rpkid_server_port}/left-right/

# BPKI certificates and keys for talking to rpkid

rpkid-bpki-ta                   = ${myrpki::bpki_servers_directory}/ca.cer
rpkid-irbe-key                  = ${myrpki::bpki_servers_directory}/irbe.key
rpkid-irbe-cert                 = ${myrpki::bpki_servers_directory}/irbe.cer
rpkid-cert                      = ${myrpki::bpki_servers_directory}/rpkid.cer

# HTTP service URL for pubd

pubd-url                        = http://${myrpki::pubd_server_host}:${myrpki::pubd_server_port}/control/

# BPKI certificates and keys for talking to pubd

pubd-bpki-ta                    = ${myrpki::bpki_servers_directory}/ca.cer
pubd-irbe-key                   = ${myrpki::bpki_servers_directory}/irbe.key
pubd-irbe-cert                  = ${myrpki::bpki_servers_directory}/irbe.cer
pubd-cert                       = ${myrpki::bpki_servers_directory}/pubd.cer

#################################################################

[rootd]

# You don't need to run rootd unless you're IANA, are certifying
# private address space, or are an RIR which refuses to accept IANA as
# the root of the public address hierarchy.
#
# Ok, if that wasn't enough to scare you off: rootd is a kludge, and
# needs to be rewritten, or, better, merged into rpkid.  It does a
# number of things wrong, and requires far too many configuration
# parameters.  You have been warned....

# BPKI certificates and keys for rootd

bpki-ta                 	= ${myrpki::bpki_servers_directory}/ca.cer
rootd-bpki-crl          	= ${myrpki::bpki_servers_directory}/ca.crl
rootd-bpki-cert         	= ${myrpki::bpki_servers_directory}/rootd.cer
rootd-bpki-key          	= ${myrpki::bpki_servers_directory}/rootd.key
child-bpki-cert         	= ${myrpki::bpki_servers_directory}/child.cer

# Server port on which rootd should listen.

server-port             	= ${myrpki::rootd_server_port}

# Where rootd should write its output.  Yes, rootd should be using
# pubd instead of publishing directly, but it doesn't.

rpki-root-dir           	= ${myrpki::publication_base_directory}

# rsync URI for directory containing rootd's outputs

rpki-base-uri           	= rsync://${myrpki::publication_rsync_server}/${myrpki::publication_rsync_module}/

# rsync URI for rootd's root (self-signed) RPKI certificate

rpki-root-cert-uri      	= rsync://${myrpki::publication_rsync_server}/${myrpki::publication_root_module}/root.cer

# Private key corresponding to rootd's root RPKI certificate

rpki-root-key           	= ${myrpki::bpki_servers_directory}/root.key

# Filename (as opposed to rsync URI) of rootd's root RPKI certificate

rpki-root-cert          	= ${myrpki::publication_root_cert_directory}/root.cer

# Where rootd should stash a copy of the PKCS #10 request it gets from
# its one (and only) child

rpki-subject-pkcs10     	= ${myrpki::bpki_servers_directory}/rootd.subject.pkcs10

# Lifetime of the one and only certificate rootd issues

rpki-subject-lifetime   	= 30d

# Filename (relative to rootd-base-uri and rpki-root-dir) of the CRL
# for rootd's root RPKI certificate

rpki-root-crl           	= root.crl

# Filename (relative to rootd-base-uri and rpki-root-dir) of the
# manifest for rootd's root RPKI certificate

rpki-root-manifest      	= root.mft

# Up-down protocol class name for RPKI certificate rootd issues to its
# one (and only) child

rpki-class-name         	= ${myrpki::handle}

# Filename (relative to rootd-base-uri and rpki-root-dir) of the one
# (and only) RPKI certificate rootd issues

rpki-subject-cert       	= ${myrpki::handle}.cer

# The last four paramters in this section are really parameters for
# myirbe.py to use when constructing rootd's root RPKI certificate,
# via an indirection hack in the OpenSSL voodoo portion of this file.
# Don't ask why some of these are duplicated from other paramters in
# this section, you don't want to know (really, you don't).

# ASNs to include in rootd's root RPKI certificate, in openssl.conf format

root_cert_asns			= AS:0-4294967295

# IP addresses to include in rootd's root RPKI certificate, in
# openssl.conf format

root_cert_addrs			= IPv4:0.0.0.0/0,IPv6:0::/0

# Whatever you put in rpki-base-uri, earlier in this section

root_cert_sia			= rsync://${myrpki::publication_rsync_server}/${myrpki::publication_rsync_module}/

# root_cert_sia + rpki-root-manifest

root_cert_manifest		= rsync://${myrpki::publication_rsync_server}/${myrpki::publication_rsync_module}/root.mft

#################################################################

# Glue to allow the django application to pull user configuration
# from this file rather than directly editing settings.py

[web_portal]
sql-database			= ${myrpki::irdbd_sql_database}
sql-username			= ${myrpki::irdbd_sql_username}
sql-password    		= ${myrpki::irdbd_sql_password}

#################################################################

# Constants for OpenSSL voodoo portion of this file, to make them
# easier to find.

[constants]

# Digest algorithm.  Don't change this.

digest				= sha256

# RSA key length.   Don't change this.

key_length			= 2048

# Lifetime of BPKI certificates (and rootd RPKI root certificate).
# Don't change this unless you know what you're doing.

cert_days			= 365

# Lifetime of BPKI CRLs.  Don't change this unless you know what
# you're doing.

crl_days			= 365

#################################################################

# The rest of this file is OpenSSL configuration voodoo.  Don't touch
# anything below here even if you -do- know what you're doing.  Even
# by OpenSSL standards, some of this is weird, and interacts in
# non-obvious ways with code in myrpki.py and myirbe.py.  If you touch
# this stuff and something breaks, don't say you weren't warned.

[req]
default_bits			= ${constants::key_length}
default_md			= ${constants::digest}
distinguished_name		= req_dn
prompt				= no
encrypt_key			= no

[req_dn]
CN                      	= Dummy name for certificate request

[ca_x509_ext_ee]
subjectKeyIdentifier		= hash
authorityKeyIdentifier		= keyid:always

[ca_x509_ext_xcert0]
basicConstraints		= critical,CA:true,pathlen:0
subjectKeyIdentifier		= hash
authorityKeyIdentifier		= keyid:always

[ca_x509_ext_xcert1]
basicConstraints		= critical,CA:true,pathlen:1
subjectKeyIdentifier		= hash
authorityKeyIdentifier		= keyid:always

[ca_x509_ext_ca]
basicConstraints		= critical,CA:true
subjectKeyIdentifier		= hash
authorityKeyIdentifier		= keyid:always

[ca]
default_ca			= ca
dir				= ${ENV::BPKI_DIRECTORY}
new_certs_dir			= $dir
database			= $dir/index
certificate			= $dir/ca.cer
private_key			= $dir/ca.key
default_days			= ${constants::cert_days}
default_crl_days		= ${constants::crl_days}
default_md			= ${constants::digest}
policy				= ca_dn_policy
unique_subject			= no
serial				= $dir/serial
crlnumber			= $dir/crl_number

[ca_dn_policy]
countryName			= optional
stateOrProvinceName		= optional
localityName			= optional
organizationName		= optional
organizationalUnitName		= optional
commonName			= supplied
emailAddress			= optional
givenName			= optional
surname				= optional

[rootd_x509_extensions]
basicConstraints        	= critical,CA:true
subjectKeyIdentifier    	= hash
keyUsage                	= critical,keyCertSign,cRLSign
subjectInfoAccess       	= 1.3.6.1.5.5.7.48.5;URI:${rootd::root_cert_sia},1.3.6.1.5.5.7.48.10;URI:${rootd::root_cert_manifest}
sbgp-autonomousSysNum   	= critical,${rootd::root_cert_asns}
sbgp-ipAddrBlock        	= critical,${rootd::root_cert_addrs}
certificatePolicies     	= critical,1.3.6.1.5.5.7.14.2

#[rpkic]
#autosync			= false