The Certificate Structure

Resource certificate distribution follows the same hierarchy as the allocation and assignment of resources in the RIPE NCC service region. The RIPE NCC created a self-signed root certificate and now acts as a Certificate Authority. The root certificate contains all of the resources that were handed to the RIPE NCC by the Internet Assigned Numbers Authority (IANA). The way the RIPE NCC operates the Certificate Authority is described in detail in the RIPE NCC RPKI Certification Practice Statement.

The RIPE NCC issues child certificates to their members upon request. These certificates contain all the certifiable resources that the member holds. When new resources are allocated to the LIR, or resources are returned to the RIPE NCC, the certificate is automatically updated to reflect the new situation.

LIRs can use the certificate to make statements with regards to their BGP routing by creating Route Origin Authorisations (ROAs). These ROAs state which Autonomous System is authorised to originate the prefixes that the LIR holds. The power of the system lies in the fact that only the legitimate holder of a prefix can create a valid ROA.

More Information:
RIPE NCC RPKI Certification Practice Statement