Skip to main content

RIPE NCC RPKI Test Environment

The RIPE NCC RPKI Test Environment is a service provided on a best effort basis, but we try to maximise the availability. In addition, this server is where new beta features are deployed first, so you may encounter some functionality that is not available or that works differently than on the production system. Please contact us at [email protected] if you have any questions or problems.

The Hosted Platform

If you would like to experiment with how Route Origin Authorisations (ROAs) affect your BGP announcements, we provide a hosted test environment. It is a mirror of the production service, running on a separate system. Any ROA you create in the test environment will not affect the production dataset.

The ROAs that you create here are published in a different repository, under a separate Trust Anchor:

rsync://localcert.ripe.net/ta/ripe-ncc-pilot.cer
https://localcert.ripe.net/ta/ripe-ncc-pilot.cer

MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAjaAKXZUuvhHLJC08qD7
mf4b1nJ8+u22pGP2xWLWfP4ICmiv7Fazpq0FS/WUoUIe3dVU/QOcF4WKlG2ANmy
33Vlraf3JGiPWqJUrZL7LxYjiMG7/N7gRsBDFoBcNDncODKPOnBf/AXbDVIa+vc
+amWaav7cengvsR/wsPxYGoJY/26EJQG2EbDSDJr4/vH3Goe7qm6qL1505xE02+
U21nVHU6123Q1eeBDzhzBz0MuxKijDse4HqQ2+Pe1IK9adntTeAnBjF3aDmuUcV
ysP5wAVuLQXHR7qXR05NUUPmC6kEyBl/rWhKXMnGgBXSq0so00B7leQKK+s/ICS
Ctm7zAjQIDAQAB

Copy the text above in a file called "RIPE-NCC-Pilot.tal" and save it into the relevant directory of the Validator(s) that you use.

Running Your Own Certificate Authority

We offer members the ability to run their own RPKI Certificate Authority (CA), using the RIPE NCC RPKI Test Environment as a parent. Please note that at this time, this test version of the parent system does not support the publication of objects generated by a child CA (aka "Publication as a Service" or "publish-in-parent"). This means that you will have to host and publish all objects yourself.

To set up a delegated CA, you can choose between the following Certificate Authority tools and follow the instructions provided by their vendors:

  1. Dragon Research Labs Certificate Authority RPKI Certificate Authority software by Dragon Research Labs, written in the Python programming language.
    Link to Github
  2. Krill RPKI Certificate Authority software by NLnet Labs, written in the Rust programming language.
    Krill documentation
    NLnet Labs blog on running Krill under RIPE NCC

For more information, visit https://rpki.readthedocs.io/en/latest/tools.html

You will need to activate the non-hosted CA via the RIPE NCC Non-Hosted Test Environment.


Re-initialising the system
The RIPE NCC RPKI Test Environment does not offer a way to re-initialise the identity exchange. If something went wrong or you want to restart the process for any reason, please REVOKE your current non-hosted CA by following these steps:

  1. Open the "identity page" on the Non-Hosted Test Environment.
  2. Click "REVOKE" to revoke your current Certificate Authority. Note: this step can not be undone!