RIPE NCC RPKI Test Environment
RIPE NCC RPKI Test Environment
The RIPE NCC RPKI Test Environment is a service provided on a best effort basis, but we try to maximise the availability. In addition, this server is where new beta features are deployed first, so you may encounter some functionality that is not available or that works differently than on the production system. Please contact us at sw-enhancements _at_ ripe _dot_ net if you have any questions or problems.
The Hosted Platform
If you would like to experiment with how Route Origin Authorisations (ROAs) affect your BGP announcements, we provide a hosted test environment in the LIR Portal. It is a mirror of the production service, running on a separate system. Any ROA you create in the test environment will not affect the production dataset.
The ROAs that you create here are published in a different repository, under a separate Trust Anchor:
Copy the text above in a file called "RIPE-NCC-Pilot.tal" and save it into the /conf/tal directory of the RIPE NCC RPKI Validator to use it.
Running Your Own Certificate Authority
We offer members the ability to run their own RPKI Certificate Authority (CA), using the RIPE NCC RPKI Test Environment as a parent. Please note that at this time, the RIPE NCC parent system does not support publication of objects generated by a child CA. This means that you will have to host and publish all objects yourself. If you would like to set up a delegated CA, please follow these steps:
1. Install the rpkid package
From rpki.net, download, build and run the rpkid source code - use platform-specific packages for FreeBSD or Ubuntu or use the VirtualBox appliance image to set up your own CA. The RIPE NCC does not offer support on this third party software package. Please refer to the documentation and support available on rpki.net.
2. Set up rpkid as a child to the RIPE NCC
The set-up procedure for using rpkid as a child to the RIPE NCC as a parent is almost identical to the procedure needed to set up rpkid as a self-hosted, self-publishing child to another rpkid instance. The main difference is in the way identity tokens are exchanged between the systems.
In order to make this work, simply follow all the steps described in the rpkid documentation, with these exceptions:
Uploading your identity.xml to the RIPE NCC
Once you have have generated the identity.xml for your rpkid (myrpki initialize), it will prompt you to send the file to your parent. At this point, follow these steps:
- Make sure that you have an LIR Portal account with the "certification" group enabled. If not, please follow these instructions.
- Go to the RIPE NCC Non-Hosted Test Environment and activate your non-hosted CA.
- Upload the identity.xml file generated by rpkid.
- You will be taken to the "identity page" where you can download the identity.xml file that is generated by the server.
- Use this file for the "configure_parent" command as described in the rpkid documentation.
- Use the xml file generated by myrpki as input to the "configure_publication_client" command.
- Use the xml file generated by "configure_publication_client" as input to the "configure_repository" command.
Re-initialising the system
The RIPE NCC RPKI Test Environment does not offer a way to re-initialise the identity exchange. If something went wrong or you want to restart the process for any reason, please REVOKE your current non-hosted CA by following these steps:
- Open the "identity page" on the Non-Hosted Test Environment.
- Click "REVOKE" to revoke your current Certificate Authority. Note: this step can not be undone!