The Resource Certificate
The resource certificate validity is linked to RIPE NCC registration. This is because only for as long as you are a RIPE NCC member and have a contractual relationship with the RIPE NCC can it be authoritatively stated who the holder of a certain Internet number resource is. This means the certificate has a validity of 18 months, but it is automatically renewed every 12 months.
If you obtain new resources from the RIPE NCC, they will be automatically added to your certificate. If you return resources to the RIPE NCC, a new, updated certificate is automatically issued. Any statement you have made referring to resources you no longer hold will be automatically invalidated.
The Hosted System in the LIR Portal
The advantage of the hosted system is that there is nothing you have to manage except making sure that your ROAs match your intended BGP routing. We provide a simple web-based user interface in which you can manage your ROAs. All of the cryptographic operations, such as key rollovers and publication, are handled by the system. The disadvantage is that the private key of your resource certificate resides on a server hosted by the RIPE NCC and is not retrievable from the secured system. In addition, for management of ROAs, you are dependent on the RIPE NCC web interface, and there is no possibility for scripting or an API.
Running Your Own Certificate Authority
The RIPE NCC, as well as third party software vendors, offers software packages to run your own Certificate Authority software that securely interfaces with the RIPE NCC parent system. This way, you are in complete control of your resource certificate and the corresponding private key. In addition, you will be able to choose where to publish your certificate and ROAs. You can publish everything yourself, or you can choose another party to publish the cryptographic material for you. Please refer to the RPKI Test Environment documentation for instructions on how to set this up.
Tools and Services:
RIPE NCC Hosted Resource Certification (RPKI) Service (requires member login)
RIPE NCC Local Certification Service – Proof of Concept
RPKI.net Open Source Implementation of RPKI Tools