Skip to main content

Using the RPKI system

The Resource Certificate

The resource certificate is linked to the organisation object in the RIPE Database of an LIR or End User.

This is because only for as long as you are a RIPE NCC member and have a contractual relationship with the RIPE NCC can it be authoritatively stated who the holder of a certain Internet number resource is. The certificate has a validity of 18 months, but it is automatically renewed every 12 months.

If you obtain new resources from the RIPE NCC, they will be automatically added to your certificate. If you return resources to the RIPE NCC, a new, updated certificate is automatically issued. Any statement you have made referring to resources you no longer hold will be automatically invalidated.

In case an Internet number resource is moved or transferred (for example, if an End User becomes an LIR, or if there is a transfer), the organisation object listed in the RIPE Database will change, and therefore the certificate will change.

This means that the underlying ROAs will be removed and must be recreated.

The Hosted System: RIPE NCC Hosts Your RPKI Certificate Authority

The advantage of the hosted system is that there is nothing you have to manage except making sure that your ROAs match your intended BGP routing. We provide a simple web-based user interface in which you can manage your ROAs, as well as an API. All of the cryptographic operations, such as key rollovers and publication, are handled by the system. The disadvantage is that the private key of your resource certificate resides on a server hosted by the RIPE NCC and is not retrievable from the secured system.

The Delegated System: Running Your Own Certificate Authority

There are several open source implementations that allow operators to run Certificate Authority (CA) software that securely interfaces with the RIPE NCC parent system. This way, you are in complete control of your resource certificate and the corresponding private key. In addition, you will be able to choose where to publish your certificate and ROAs. You can publish everything yourself, or you can choose another party to publish the cryptographic material for you. 
When enabling RPKI on my.ripe.net, you can choose if you would like to use Hosted or Delegated RPKI. When choosing Delegated RPKI, you will be asked to supply an XML file generated by your Certificate Authority software. In turn, the RIPE NCC system will generate a response XML file that you should download and use within your RPKI CA software. Please refer to the documentation of the software provider for additional details.

Tools and Services: RIPE NCC Hosted Resource Certification (RPKI) Service (requires RIPE NCC Access login)
Tools and Resources for the Resource Certification (RPKI) service
Dragon Research Labs open source implementation of RPKI tools
RPKI Management API for the hosted system
Krill by NLnet Labs

More information:
RPKI Test Environment