Skip to main content

RIPE NCC Certification Service Terms and Conditions

The Terms and Conditions have been updated and will come into effect on 13.11.2025. The updates to the Terms and Conditions include the addition of three new RPKI object types (ASPA, BGPsec and RSC) which will be implemented at a later stage.

Introduction

This document will stipulate the Terms and Conditions for the RIPE NCC Certification Service. The RIPE NCC Certification Service is based on Internet Engineering Task Force (IETF) standards, in particular RFC 3647, "Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework", RFC 3779, "X.509 Extensions for IP Addresses and AS Identifiers", and the "Certificate Policy (CP) for the Resource Public Key Infrastructure (RPKI)".

Article 1 - Definitions

In the Terms and Conditions, the following terms shall be understood to have the meanings assigned to them below:

RIPE NCC - Réseaux IP Européens Network Coordination Centre, a membership association under Dutch law, with a registered office in Amsterdam, the Netherlands.

Member – A natural person or a legal entity that has entered into the RIPE NCC Standard Service Agreement with the RIPE NCC.

End User - A natural person or a legal entity that is assigned Independent Internet Number Resources from the RIPE NCC through an agreement with a Member.

Independent Internet Number Resources: Internet Number Resources (Autonomous System (AS) Number, Provider Independent (PI), IPv4 and IPv6), Internet Exchange Point (IXP) and anycasting assignments directly allocated by the RIPE NCC. 

Certificate – Digitally signed data object generated by the RIPE NCC Certification Service.

Certificate Holder – RIPE NCC Member or End User who uses the RIPE NCC Certification Service. 

RIPE NCC Certification Service – The RIPE NCC service through which the Certificates are issued or revoked and RPKI-signed objects are created, modified, or deleted.

Internet number resources – Globally unique IP addresses (IPv4 and IPv6) and Autonomous System Numbers (ASNs) registered with an Internet Number Registry, such as the RIPE NCC, that allocates Internet number resources and holds and publishes details of Internet number resource information.

ASPA - Autonomous System Provider Authorization object, an RPKI-signed object that authorises one or more ASNs as BGP providers for the (customer) ASN held by the Certificate Holder.

BGPSec Router Certificate - A type of Certificate that binds a router key to an ASN held by the Certificate Holder to enable BGPsec signing.

RSC - RPKI Signed Checklists object, an attestation containing one or more checksums (a 'checklist') signed with a specific set of Internet Number Resources that, when validated, only provides a means to confirm a Certificate Holder produced the RSC. RSCs are not published in the Repository.

RPKI-signed objects – Digitally signed data objects created using the RIPE NCC Certification Service, such as Route Origin Authorisation (ROA) objects.

ROA object – Route Origin Authorisation object, an RPKI-signed object that binds a set of IP address blocks to an ASN.

Route Origin Validation (ROV) - a cryptographic validation mechanism based on RFC6811, by which BGP announcements can be authenticated as originating from the autonomous system number (ASN) specified in the ROA object, and may reject BGP announcements that are not originating from the ASN as specified in the ROA object or have a prefix length that is not consistent with the prefix length as specified in the ROA object.

LIR Portal – The secure web interface through which Members access various RIPE NCC services.

Repository – A publicly accessible location where the RIPE NCC publishes all Certificates, Certificate Revocation Lists (CRLs) and RPKI-signed objects of the Certificate Holder who chose the Hosted CA setup and available to download by third parties under the RIPE NCC Certification Repository Terms and Conditions. 

CA – Certification Authority. CA is an entity that issues, publishes and revokes the Certificates. 

Hosted CA – Type of CA setup technically hosted in the secure infrastructure of the RIPE NCC. The RIPE NCC as Hosted CA is responsible for all cryptographic operations of the RIPE NCC Certification Service, as well as for hosting the Certificate Holder's public and private key pair.

Delegated CA – Type of CA setup technically hosted by the RIPE NCC Member or End User, who chooses the Delegated CA setup instead of the Hosted CA. The Certificate Holder, as a Delegated CA, manages their CA on their own infrastructure instead of that of the RIPE NCC, including the hosting of the public and private key pair. 

Publish in Parent Service – RIPE NCC service based on RFC 8181 through which the Delegated CA can choose to publish their Certificates, CRLs and RPKI-signed objects in the RIPE NCC Publish in Parent Repository instead of their own infrastructure.

Publish in Parent Repository – A publicly accessible location where the RIPE NCC publishes all Certificates, CRLs and RPKI-signed objects of the Certificate Holders who chose the Publish in Parent Service as part of the Delegated CA setup. 

RIPE community - RIPE (Réseaux IP Européens) is a collaborative forum open to all parties interested in wide area IP networks in Europe and beyond. The objective of RIPE is to ensure the administrative and technical coordination necessary to enable the operation of a pan-European IP network.

Article 2 – General

2.1. The Terms and Conditions come into effect by means of an offer and an acceptance. By clicking the button “I accept. Create my Certificate Authority” in the LIR Portal, Members or End Users confirm that that they have read, understood and agree to be bound by these Terms and Conditions.

2.2. The RIPE NCC reserves the right to amend these Terms and Conditions. The RIPE NCC will make an announcement at least thirty days prior to any such amendment coming into effect, unless a more immediate change is required for legal or operational reasons. By continuing to use the RIPE NCC Certification Service after any amendments are made to these Terms and Conditions, the Certificate Holder confirms that they have read, understood and agree to the amended Terms and Conditions.

2.3. These Terms and Conditions prevail over explanatory documents regarding the RIPE NCC Certification Service, including the Certification Practice Statement, which exists for convenience and informational purposes only and does not affect the interpretation of these Terms and Conditions.

Article 3 – Use of the RIPE NCC Certification Service

3.1. Upon the Certificate Holder agreeing to these Terms and Conditions, the RIPE NCC shall generate a Certificate for the Certificate Holder. The Certificate will reflect the registration of the Member's or the End User’s Internet number resources according to the RIPE NCC's registration records. Certificates may not be available for all types of Internet number resources. The RIPE NCC will not attach any other data to the Certificate (including personal data or data referring to the name, trade name or operations of the Certificate Holder).

3.2. The Certificate Holder shall use the RIPE NCC Certification Service for the following purposes only:

  • To assert that the Internet number resources indicated in the Certificate are registered with the Certificate Holder.
  • To configure specifications for creating or revoking ROA objects.

3.3. Use of the RIPE NCC Certification Service or of Certificates for any other purpose, including identification purposes, is not recognised.

3.4. The Certificate Holder shall be responsible for any use of the RIPE NCC Certification Service or of the Certificate. 

3.5. The Certificate Holder is not obliged to create ROA, ASPA or RSC objects, or BGPSec Router Certificates. The Certificate Holder acknowledges and agrees that creating ROA objects that do not reflect their BGP routing intentions or failing to maintain ROA objects so that they reflect their BGP routing intentions may result in rejected BGP announcements. 

3.6. The RIPE NCC may perform ROV on its own network. The Certificate Holder  acknowledges and agrees that if a BGP announcement does not match to the ROA object, the BGP announcement may be rejected, which can result in loss of access to the ripe.net domain and any sub-domains thereof. 

3.7. The use of the RIPE NCC Certification Service or the Certificate does not support claims of alleged "ownership" of Internet number resources.  Internet number resources registered by the RIPE NCC are subject to and exclusively governed by the policies adopted by the RIPE community.

3.8. The RIPE NCC Certification Service and the Certificate(s) will be available on a best effort basis and the RIPE NCC may suspend its operation or liability to the Certificate Holder  for technical, legal, anti-abuse or any other reasons within the scope of managing the operations of the RIPE NCC Certification Service.

3.9. The RIPE NCC shall publish the generated Certificate and any RPKI-signed objects created using the Certificate of the Certificate Holders who chose the Hosted CA setup in the Repository under the RIPE NCC Certification Repository Terms and Conditions. The Certificate Holder agrees with the use of the Repository as defined in the RIPE NCC Certification Repository Terms and Conditions. 

3.10. The RIPE NCC shall publish the generated Certificate and any RPKI-signed objects of the Certificate Holders who chose the Publish in Parent Service as part of the Delegated CA setup in the Publish in Parent Repository under the RIPE NCC Publish in Parent Service and Repository Terms and Conditions. The relevant Certificate Holder agrees with the use of the Publish in Parent Repository as defined in the RIPE NCC Publish in Parent Service Term and Conditions.  

Article 4 – Control of the RIPE NCC Certification Service

4.1. The RIPE NCC is entitled to restrict any unauthorised use or to correct unauthorised use of the RIPE NCC Certification Service. For this purpose, the RIPE NCC may perform security checks and audits.

4.2. The Certificate Holder must assist the RIPE NCC with security checks and audits as appropriate. 

4.3. The RIPE NCC shall announce any planned maintenance of the RIPE NCC Certification Service as well as any confirmed incidents related to the operation of the RIPE NCC Certification Service on the RIPE NCC status page.

4.4. The Certificate Holder may report any identified incident via the 24/7 Technical Emergency Hotline.

4.5. The Certificate Holder may address security questions relating to the RIPE NCC Certification Service to security@ripe.net.

4.6. The RIPE NCC shall publish information about the security policies and measures in relation to the RIPE NCC services in the RIPE NCC Trust Portal.

4.7. The RIPE NCC may perform security checks and/or audits to the RIPE NCC Certification Service. The RIPE NCC may share any available report of such checks and/or audits upon request by the Certificate Holder and subject to a non-disclosure agreement.

Article 5 – Revocation of Certificates

5.1. The Certificate Holder may terminate their use of the RIPE NCC Certification Service at any time.

5.2. The RIPE NCC shall revoke a Certificate without any notice if any of the following cases occur:

  • The Certificate is inconsistent with the RIPE NCC registration records of the Certificate Holder’s Internet number resources. In this case, the RIPE NCC will replace the revoked Certificate with a Certificate that matches the registration of the Certificate Holder’s Internet number resources. The Certificate Holder will not receive notice of the replacement of the Certificate. Any RPKI-signed objects created by the revoked Certificate for Internet number resources that are not indicated in the new Certificate shall be invalid.
  • For technical or security reasons, for example in case the Certificate is compromised. In this case, the RIPE NCC will replace the revoked Certificate with a new Certificate. The Certificate Holder will not receive notice of the replacement of the Certificate.
  • The Certificate Holder violates these Terms and Conditions.
  • The Certificate Holder terminates their use of the RIPE NCC Certification Service.

5.3. The RIPE NCC shall publish the revoked Certificates in a Certificate Revocation List (CRL).

5.4. The RIPE NCC shall publish all CRLs of the Hosted CA setup Certificate Holders in the Repository. 

5.5. The RIPE NCC shall publish all CRLs of Delegated CA setup Certificate Holders who chose the Publish in Parent Service in the Publish in Parent Repository.

Article 6 – Liability

6.1. Use of the RIPE NCC Certification Service is at the Member's or the Certificate Holder’s own risk.

6.2. The Certificate Holder shall be liable for all aspects of their use of the RIPE NCC Certification Service and the Certificate. 

6.3. The RIPE NCC is in no way liable for any damages, including, but not limited to, damages to the Certificate Holder’s business, loss of profit, damages to third parties, personal injury or damages to property, except in cases involving wilful misconduct or gross negligence on the part of the RIPE NCC.

6.4. The RIPE NCC shall, in any event, not be liable for non-performance or damages due to force majeure, including but not limited to industrial action, strikes, occupations and sit-ins, blockades, embargoes, governmental measures, denial of service attacks, war, revolutions or comparable situations, power failures, defects in electronic lines of communication, fire, explosions, damage caused by water, floods and earthquakes.

6.5. The RIPE NCC is not liable in the case that local legislation prohibits the use of the RIPE NCC Certification Service or of the Certificate or the use of any technical aspects of the RIPE NCC Certification Service or of the Certificate.

6.6. The Certificate Holder shall indemnify the RIPE NCC against any and all third party claims filed against the RIPE NCC in relation to the Certificate Holder’s use of the RIPE NCC Certification Service or the Certificate. 

6.7. Any rights on the part of the Certificate Holder towards the RIPE NCC in connection with the generation or replacement of the Certificate and the use thereof shall finally and unconditionally lapse one year from the date on which the Certificate Holder became aware of (or could in all fairness have been aware of) the existence of such rights. This one-year term can only be barred or interrupted by actual legal action instituted by the Certificate Holder against the RIPE NCC.  

Article 7 - Miscellaneous

7.1. The RIPE NCC's intellectual property (agreements, documents, software, databases, website, etc.) may only be used, reproduced and made available to third parties upon prior written authorisation from the RIPE NCC.

7.2. The RIPE NCC Certification Service and the RIPE NCC Certification Service and the RIPE NCC Publish in Parent Service are only available via the LIR Portal and access to the LIR Portal is therefore a prerequisite for access to these Services. 

7.3. If any provision contained in the Terms and Conditions is held to be invalid by a court of law, this shall not in any way affect the validity of the remaining provisions.

7.4. The titles appearing next to the articles of these Terms and Conditions are for convenience only and shall not be taken into account for the interpretation of the articles.

7.5. The RIPE NCC may engage with third parties for the provision of RIPE NCC services. Information about such third parties (subcontractors) in the RIPE NCC Trust Portal.

7.6. The RIPE NCC shall publish information about the service levels of RIPE NCC services on the RIPE NCC status page.

7.7. The RIPE NCC shall publish information regarding the integrity, privacy and confidentiality of the data it processes in the RIPE NCC Trust Portal. 

Article 8 - Governing Law

8.1. These Terms and Conditions shall be exclusively governed by the laws of the Netherlands. The competent court in Amsterdam shall have exclusive jurisdiction with regard to disputes arising from these Terms and Conditions.