PaaS onboarding with Krill

The RIPE NCC RPKI Publication Service for delegated CAs is currently in an open beta phase. We have on-boarded the first participants that responded to our call for participants after our RIPE 84 presentation.

While the service is available and monitored as a production service, we may need to make changes to this service at short notice. If you want to participate in our open beta, please get in touch with us at rpki _at_ ripe _dot_ net.

The delegated CA may be configured in two different ways regarding the data it publishes: it can choose to maintain its own repositories (RRDP and rsync) or it can choose to publish its generated object to the parent, i.e. RIPE NCC CA. This document describes the second case - publishing data to the repository of the RIPE NCC CA. The published data ends up in the repository with the URL http://rrdp.paas.ripe.net/notification.xml

This document assumes that the user is configuring Krill CA management software

Click on the images to view them full size.

Creating a delegated CA

To create a delegated CA go to the RPKI Dashboard, select “Delegated" and click the “I accept. Create my Certificate Authority” button.

The next steps are necessary to do the identity exchange between the delegated CA and the RIPE NCC CA.

This child request XML can be downloaded from the Krill UI in the “Parents” tab. Press the download button and upload the resulting “child-request.xml” to the RPKI Dashboard.

Krill UI

 

RPKI Dashboard

Download the server identity XML file from the RPKI Dashboard by clicking the “Download this server's identity xml file (used to configure your local Certificate Authority)” link, upload the XML file in the Krill UI and press ‘Confirm’.

Press the ‘Provision new repository’ in the RPKI Dashboard to go to the publisher request upload form. In Krill UI, in the “Repository” tab download the publisher_request.xml and upload it to the RPKI Dashboard upload form.

 

Download another identity XML file (this time the repository identity) clicking the download link in the table of publication points (marked in red in the screenshot below).

Upload it to Krill UI

At this stage, the publication point in the RIPE NCC repository should be setup. To see the results immediately, click on 'Refresh repository' on the Repository tab in the Krill UI. The ROA and Parent tabs should show the current set of ROAs and some information about the Parent CA.

Removing a delegated CA

If you need to delete the CA and start from scratch, it is recommended to proceed as follows:

  1. Revoke the delegated CA:To revoke (or revoke and re-create) a delegated CA, click the ‘Revoke delegated CA’ link in the RPKI Dashboard. 
  2. Delete the content of the Krill data directory (the one mentioned on https://krill.docs.nlnetlabs.nl/en/stable/install-and-run.html#generate-configuration-file).

To migrate an existing Krill installation to the publication service provided by the RIPE NCC, it is recommended to follow the steps in the Krill documentation.

Please contact us if you need more information.

Stay up to date!

Follow the #RPKI hashtag on Twitter.