RIPE Database Search

By pressing the "Search" button you explicitly express your agreement with the RIPE Database Terms and Conditions.

Service Announcements
  • All of our services are operating normally.

How to setup and use X.509 authentication in the RIPE Database

Introduction

You can use X.509 authentication with all the methods of sending updates to the RIPE Database. Whichever method you use you will need to have a certificate and private key. If you already have a certificate issued by another Certificate Authority you can use that. If not and you are an LIR you can create one through the LIR Portal. Otherwise you will have to generate a self signed certificate for yourself. The RIPE NCC implementation of X.509 for signing updates to the RIPE Database is not concerned with the trust path of a certificate. The certificate is only used to store the public key in a key-cert object to match your private key. No account is taken of certificate revocation lists. This is why a self signed certificate will work well for the purposes of signing database updates.

If you wish to send your updates from a mail client that supports S/MIME, you can import your certificate into the mail client and use it to sign the update messages. If your preferred mail client does not support S/MIME, you can sign messages from the command line using OpenSSL and cut and paste the signed message into the mail client's compose window. The RIPE NCC has carried out tests on some mail clients for S/MIME compliance. The results of these tests can be found in the document Email Client Testing for S/MIME Compliance.

Setup your mail client

First you need to generate a certificate. Some guidelines for this are given in Appendix A1.1 Generating a New Certificate of the Email Client Testing for S/MIME Compliance document referenced above.

Once the certificate has been generated, select an option to export or backup the certificate and private key from your browser. Some guidelines for this are given in Appendix A1.2 Backup of Your Certificate to a File of the Email Client Testing for S/MIME Compliance document referenced above.

Import the backed up certificate and private key into your email client.

If your mail client requires you to set the trust level, this needs to be set to allow signing of emails with this certificate. For example, in Mozilla you need to select the following sequence:

Select:
'Edit'
'Preferences'
'Priv. & Security'
'Certificates'
'Manage Cert'.
'Authorities'

- select the RIPE NCC root cert.
- click 'Edit'.
- set 'This certificate can identify mail users'

Setup the database

You are now ready to sign messages from your mail client. The next step is to set up the RIPE NCC Database end. For this you need to create a new X509 key-cert object and set the authorisation in the mntner object to use X509.

Creating the key-cert object

You need to create a key-cert object according to the following template:

key-cert:      [mandatory]  [single]     [primary/look-up key]
method: [generated] [single] [ ]
owner: [generated] [multiple] [ ]
fingerpr: [generated] [single] [inverse key]
certif: [mandatory] [multiple] [ ]
remarks: [optional] [multiple] [ ]
notify: [optional] [multiple] [inverse key]
admin-c: [optional] [multiple] [inverse key]
tech-c: [optional] [multiple] [inverse key]
mnt-by: [mandatory] [multiple] [inverse key]
changed: [mandatory] [multiple] [ ]
source: [mandatory] [single] [ ]

You will need to use OpenSSL to convert the certificate into an ascii text format. The backup file exported from your browser containing your certificate and private key is in binary format and the file extension should be .p12. Use OpenSSL to convert this binary file into an ascii file which will have the file extension .pem. The command to do this is:

openssl pkcs12 -clcerts < backup.p12 > ascii.pem

Now open the ascii.pem file in a text editor. Remove everything from the file except for the certificate. This is contained within the lines:

-----BEGIN CERTIFICATE-----
......
-----END CERTIFICATE-----

You must also keep these BEGIN and END lines. This will now form the certificate data for your key-cert object. Add to the start of each of these lines the attribute name "certif:"

For example:

certif: -----BEGIN CERTIFICATE-----
certif: MIID8zCCA1ygAwIBAgICAIIwDQYJKoZIhvcNAQEEBQAwcTELMAkGA1UEBhMCRVUx
certif: EDAOBgNVBAgTB0hvbGxhbmQxEDAOBgNVBAoTB25jY0RFTU8xHTAbBgNVBAMTFFNv
certif: ZnR3YXJlIFBLSSBUZXN0aW5nMR8wHQYJKoZIhvcNAQkBFhBzb2Z0aWVzQHJpcGUu
certif: bmV0MB4XDTAzMDkwODEwMjYxMloXDTA0MDkwNzEwMjYxMlowfTELMAkGA1UEBhMC
certif: TkwxETAPBgNVBAoTCFJJUEUgTkNDMRAwDgYDVQQLEwdNZW1iZXJzMRgwFgYDVQQD
certif: Ew91ay5idC50ZXN0LXVzZXIxLzAtBgkqhkiG9w0BCQEWIHRlc3QtdXNlckBsaW51
certif: eC50ZXN0bGFiLnJpcGUubmV0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
certif: AQEArv3srxyl1QA3uS4dxdZbSsGrfBrMRjMb81Gnx0nqa6i+RziIf13lszB/EYy0
certif: PgLpQFdGLdhUQ52YsiGOUmMtnaWNHnEJrBUc8/fdnA6GVdfF8AEw1PTfJ6t2Cdc9
certif: 2SwaF+5kCaUDwmlOgbM333IQmU03l3I1ILs32RpQyZ+df/ovHNrVzeLc2P59isac
certif: bfjM2S0SXPQzHjuVLH40eOgVuXA/5LAYs51eXqwtKszSxFhqekf+BAEcRDrXmIT4
certif: e3zfiZOsXKe0UfaEABgHUMrYjsUCJ8NTMg6XiVSNwQQmXCdUbRvK7zOCe2iCX15y
certif: 9hNXxhY/q/IW54W5it7jGXq/7wIDAQABo4IBCDCCAQQwCQYDVR0TBAIwADARBglg
certif: hkgBhvhCAQEEBAMCBaAwCwYDVR0PBAQDAgXgMBoGCWCGSAGG+EIBDQQNFgtSSVBF
certif: IE5DQyBDQTAdBgNVHQ4EFgQUzdajNaRorkDTAW5O6Hpa3z9pP3AwgZsGA1UdIwSB
certif: kzCBkIAUHpLUfvaBVfxXVCcT0kh9NJeH7ouhdaRzMHExCzAJBgNVBAYTAkVVMRAw
certif: DgYDVQQIEwdIb2xsYW5kMRAwDgYDVQQKEwduY2NERU1PMR0wGwYDVQQDExRTb2Z0
certif: d2FyZSBQS0kgVGVzdGluZzEfMB0GCSqGSIb3DQEJARYQc29mdGllc0ByaXBlLm5l
certif: dIIBADANBgkqhkiG9w0BAQQFAAOBgQByg8L8RaiIz5k7n5jVwM/0oHSf48KRMBdn
certif: YdN2+eoEjVQbz48NtjbBTsOiUYj5AQWRHJrKtDQ+odbog0x7UsvhXjjBo/abJ6vI
certif: AupjnxP3KpSe73zmBUiMU8mvXLibPP1xuI2FPM70Y7fgeUehbmT7wdgqs7TEtYww
certif: PeUqjPPTZg==
certif: -----END CERTIFICATE-----

The "method:", "owner:" and "fingerpr:" attributes will be automatically generated by the database update program so these can be ignored at this stage. The only attribute required before the "certif:" data is the "key-cert:". The name value of this attribute is auto generated so add this line at the start of the file:

key-cert: AUTO-1

This name is only used as a tag in maintainer "auth:" attributes, therefore it was decided not to allow any choice in the name. The generated name will be of the type X509-nnn where nnn is the next available integer number. These numbers will not be re-used. Once a key-cert object is deleted, it is not possible to re-create one with the same name.

The remainder of the key-cert object after the "certif:" attributes looks something like this:

remarks: Sample Key Certificate
notify: you@your_domain.net
mnt-by: YOUR-MNT
changed: you@your_domain.net 20040101
source: RIPE

This gives a final key-cert object looking like this:

key-cert: AUTO-1
certif: -----BEGIN CERTIFICATE-----
certif: MIID8zCCA1ygAwIBAgICAIIwDQYJKoZIhvcNAQEEBQAwcTELMAkGA1UEBhMCRVUx
certif: EDAOBgNVBAgTB0hvbGxhbmQxEDAOBgNVBAoTB25jY0RFTU8xHTAbBgNVBAMTFFNv
certif: ZnR3YXJlIFBLSSBUZXN0aW5nMR8wHQYJKoZIhvcNAQkBFhBzb2Z0aWVzQHJpcGUu
certif: bmV0MB4XDTAzMDkwODEwMjYxMloXDTA0MDkwNzEwMjYxMlowfTELMAkGA1UEBhMC
certif: TkwxETAPBgNVBAoTCFJJUEUgTkNDMRAwDgYDVQQLEwdNZW1iZXJzMRgwFgYDVQQD
certif: Ew91ay5idC50ZXN0LXVzZXIxLzAtBgkqhkiG9w0BCQEWIHRlc3QtdXNlckBsaW51
certif: eC50ZXN0bGFiLnJpcGUubmV0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
certif: AQEArv3srxyl1QA3uS4dxdZbSsGrfBrMRjMb81Gnx0nqa6i+RziIf13lszB/EYy0
certif: PgLpQFdGLdhUQ52YsiGOUmMtnaWNHnEJrBUc8/fdnA6GVdfF8AEw1PTfJ6t2Cdc9
certif: 2SwaF+5kCaUDwmlOgbM333IQmU03l3I1ILs32RpQyZ+df/ovHNrVzeLc2P59isac
certif: bfjM2S0SXPQzHjuVLH40eOgVuXA/5LAYs51eXqwtKszSxFhqekf+BAEcRDrXmIT4
certif: e3zfiZOsXKe0UfaEABgHUMrYjsUCJ8NTMg6XiVSNwQQmXCdUbRvK7zOCe2iCX15y
certif: 9hNXxhY/q/IW54W5it7jGXq/7wIDAQABo4IBCDCCAQQwCQYDVR0TBAIwADARBglg
certif: hkgBhvhCAQEEBAMCBaAwCwYDVR0PBAQDAgXgMBoGCWCGSAGG+EIBDQQNFgtSSVBF
certif: IE5DQyBDQTAdBgNVHQ4EFgQUzdajNaRorkDTAW5O6Hpa3z9pP3AwgZsGA1UdIwSB
certif: kzCBkIAUHpLUfvaBVfxXVCcT0kh9NJeH7ouhdaRzMHExCzAJBgNVBAYTAkVVMRAw
certif: DgYDVQQIEwdIb2xsYW5kMRAwDgYDVQQKEwduY2NERU1PMR0wGwYDVQQDExRTb2Z0
certif: d2FyZSBQS0kgVGVzdGluZzEfMB0GCSqGSIb3DQEJARYQc29mdGllc0ByaXBlLm5l
certif: dIIBADANBgkqhkiG9w0BAQQFAAOBgQByg8L8RaiIz5k7n5jVwM/0oHSf48KRMBdn
certif: YdN2+eoEjVQbz48NtjbBTsOiUYj5AQWRHJrKtDQ+odbog0x7UsvhXjjBo/abJ6vI
certif: AupjnxP3KpSe73zmBUiMU8mvXLibPP1xuI2FPM70Y7fgeUehbmT7wdgqs7TEtYww
certif: PeUqjPPTZg==
certif: -----END CERTIFICATE-----
remarks: Sample Key Certificate
notify: you@your_domain.net
mnt-by: YOUR-MNT
changed: you@your_domain.net 20040101
source: RIPE

This can now be submitted to the database update program by sending it in an email to auto-dbm _at_ ripe _dot_ net, or using syncupdates or webupdates methods.

The final object created in the database will look something like this:

key-cert:     X509-23
method: X509
owner: /C=NL/O=RIPE NCC/OU=Members/CN=uk.bt.administrator/Email=you@your_domain.net
fingerpr: AC:B5:B1:36:95:F3:46:93:B1:2D:58:EB:E1:46:DA:3F
certif: -----BEGIN CERTIFICATE-----
certif: MIID8zCCA1ygAwIBAgICAIIwDQYJKoZIhvcNAQEEBQAwcTELMAkGA1UEBhMCRVUx
certif: EDAOBgNVBAgTB0hvbGxhbmQxEDAOBgNVBAoTB25jY0RFTU8xHTAbBgNVBAMTFFNv
certif: ZnR3YXJlIFBLSSBUZXN0aW5nMR8wHQYJKoZIhvcNAQkBFhBzb2Z0aWVzQHJpcGUu
certif: bmV0MB4XDTAzMDkwODEwMjYxMloXDTA0MDkwNzEwMjYxMlowfTELMAkGA1UEBhMC
certif: TkwxETAPBgNVBAoTCFJJUEUgTkNDMRAwDgYDVQQLEwdNZW1iZXJzMRgwFgYDVQQD
certif: Ew91ay5idC50ZXN0LXVzZXIxLzAtBgkqhkiG9w0BCQEWIHRlc3QtdXNlckBsaW51
certif: eC50ZXN0bGFiLnJpcGUubmV0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
certif: AQEArv3srxyl1QA3uS4dxdZbSsGrfBrMRjMb81Gnx0nqa6i+RziIf13lszB/EYy0
certif: PgLpQFdGLdhUQ52YsiGOUmMtnaWNHnEJrBUc8/fdnA6GVdfF8AEw1PTfJ6t2Cdc9
certif: 2SwaF+5kCaUDwmlOgbM333IQmU03l3I1ILs32RpQyZ+df/ovHNrVzeLc2P59isac
certif: bfjM2S0SXPQzHjuVLH40eOgVuXA/5LAYs51eXqwtKszSxFhqekf+BAEcRDrXmIT4
certif: e3zfiZOsXKe0UfaEABgHUMrYjsUCJ8NTMg6XiVSNwQQmXCdUbRvK7zOCe2iCX15y
certif: 9hNXxhY/q/IW54W5it7jGXq/7wIDAQABo4IBCDCCAQQwCQYDVR0TBAIwADARBglg
certif: hkgBhvhCAQEEBAMCBaAwCwYDVR0PBAQDAgXgMBoGCWCGSAGG+EIBDQQNFgtSSVBF
certif: IE5DQyBDQTAdBgNVHQ4EFgQUzdajNaRorkDTAW5O6Hpa3z9pP3AwgZsGA1UdIwSB
certif: kzCBkIAUHpLUfvaBVfxXVCcT0kh9NJeH7ouhdaRzMHExCzAJBgNVBAYTAkVVMRAw
certif: DgYDVQQIEwdIb2xsYW5kMRAwDgYDVQQKEwduY2NERU1PMR0wGwYDVQQDExRTb2Z0
certif: d2FyZSBQS0kgVGVzdGluZzEfMB0GCSqGSIb3DQEJARYQc29mdGllc0ByaXBlLm5l
certif: dIIBADANBgkqhkiG9w0BAQQFAAOBgQByg8L8RaiIz5k7n5jVwM/0oHSf48KRMBdn
certif: YdN2+eoEjVQbz48NtjbBTsOiUYj5AQWRHJrKtDQ+odbog0x7UsvhXjjBo/abJ6vI
certif: AupjnxP3KpSe73zmBUiMU8mvXLibPP1xuI2FPM70Y7fgeUehbmT7wdgqs7TEtYww
certif: PeUqjPPTZg==
certif: -----END CERTIFICATE-----
remarks: Sample Key Certificate
notify: you@your_domain.net
mnt-by: YOUR-MNT
changed: you@your_domain.net 20040101
source: RIPE

Updating the maintainer

The final step in order to use X.509 is to set the authorisation of your mntner object to accept X.509. It is advisable in the first instance to keep the existing authorisation method of your maintainer and add the X.509 as an additional method. After you have tested it's use successfully, you can then delete any less secure authorisation methods such as passwords.

If your existing mntner object looks something like this:

mntner:       YOUR-MNT
descr: company maintainer object
admin-c: TP1-RIPE
upd-to: you@your_domain.net
referral-by: RIPE-DBM-MNT
mnt-by: YOUR-MNT
auth: MD5-PW $1$soR3Y2Qy$nXJrt696svaDXvJ6s6N3Z/
changed: you@your_domain.net 20020101
source: RIPE

Add an additional authorisation line for X509-23 and submit the object to the database update program in the usual way, supplying the required existing authorisation. In this example it will be the MD5-PW password:

mntner:       YOUR-MNT
descr: company maintainer object
admin-c: TP1-RIPE
upd-to: you@your_domain.net
referral-by: RIPE-DBM-MNT
mnt-by: YOUR-MNT
auth: MD5-PW $1$soR3Y2Qy$nXJrt696svaDXvJ6s6N3Z/
auth: X509-23
changed: you@your_domain.net 20020101
source: RIPE

password: plain text password

Using the X.509 authorisation

Everything is now in place to use X.509 authorisation. You can compose a message in your mail client containing the update. Sign the message with your certificate and private key. You may need to check with the documentation for your specific mail client to see how to do this. Guidelines for some common mail clients are contained in our document Email Client Testing for S/MIME Compliance. Then send the email to auto-dbm _at_ ripe _dot_ net. Once you have submitted a successful update you can, if you wish, remove the weaker authentication method by removing the line in this example:

auth: MD5-PW $1$soR3Y2Qy$nXJrt696svaDXvJ6s6N3Z/

from your mntner object. Updates can now only be authorised by the stronger authentication method of X.509.