Mailing List Archive

ARIN hosted RPKI key rotation
Hello folks,

I use ARIN hosted RPKI to publish ROAs

The ROAs have an expire date

How do i rotate the cert to push out the expiration date? Does ARIN do
this for me?

Thanks!
Re: ARIN hosted RPKI key rotation [ In reply to ]
I believe it's manual, ten years and you need to update the roa.

On Fri, Nov 20, 2020, 6:55 AM Ca By <cb.list6@gmail.com> wrote:

> Hello folks,
>
> I use ARIN hosted RPKI to publish ROAs
>
> The ROAs have an expire date
>
> How do i rotate the cert to push out the expiration date? Does ARIN do
> this for me?
>
> Thanks!
>
Re: ARIN hosted RPKI key rotation [ In reply to ]
On Fri, Nov 20, 2020 at 10:59 AM TJ Trout <tj@pcguys.us> wrote:
>
> I believe it's manual, ten years and you need to update the roa.
>

I don't think 10yrs is correct... I do think you'd be responsible for
re-publishing your content periodically though.
Looking at, quite a handy tool, job's console.rpki-client.org for a
set of things that concern me, this one in particular:
(one particular ROA)
<http://console.rpki-client.org/rpki.arin.net/repository/arin-rpki-ta/5e4a23ea-e80a-403e-b08c-2171da2157d3/f60c9f32-a87c-4339-a2f3-6299a3b02e29/5e9328a9-e1d2-45d8-bdb5-eefe152994f9/c130a86a-6524-3fd7-9dbf-338bc9d5a0a7.roa.html>

Validity
Not Before: Aug 18 04:00:00 2020 GMT
Not After : Nov 20 05:00:00 2022 GMT

Oh, I do see that the parent cert here is:
<http://console.rpki-client.org/rpki.arin.net/repository/arin-rpki-ta/5e4a23ea-e80a-403e-b08c-2171da2157d3/f60c9f32-a87c-4339-a2f3-6299a3b02e29/5e9328a9-e1d2-45d8-bdb5-eefe152994f9.cer.html>

which has:
Validity
Not Before: Oct 1 11:28:43 2019 GMT
Not After : Oct 1 11:28:43 2029 GMT

This is, I think, actually controlled by ARIN, it has the subordinate
resources from ARIN -> this-org
in it... so at least the content of this file is generated/maintained
by the parent (RIR in this case).

> On Fri, Nov 20, 2020, 6:55 AM Ca By <cb.list6@gmail.com> wrote:
>>
>> Hello folks,
>>
>> I use ARIN hosted RPKI to publish ROAs
>>
>> The ROAs have an expire date
>>
>> How do i rotate the cert to push out the expiration date? Does ARIN do this for me?
>>
>> Thanks!
Re: ARIN hosted RPKI key rotation [ In reply to ]
On Fri, Nov 20, 2020 at 8:12 AM Christopher Morrow <morrowc.lists@gmail.com>
wrote:

> On Fri, Nov 20, 2020 at 10:59 AM TJ Trout <tj@pcguys.us> wrote:
> >
> > I believe it's manual, ten years and you need to update the roa.
> >
>
> I don't think 10yrs is correct... I do think you'd be responsible for
> re-publishing your content periodically though.


Can anyone point me to a procedure on how this can be done safely using
arin machinery ?


> Looking at, quite a handy tool, job's console.rpki-client.org for a
> set of things that concern me, this one in particular:
> (one particular ROA)
> <
> http://console.rpki-client.org/rpki.arin.net/repository/arin-rpki-ta/5e4a23ea-e80a-403e-b08c-2171da2157d3/f60c9f32-a87c-4339-a2f3-6299a3b02e29/5e9328a9-e1d2-45d8-bdb5-eefe152994f9/c130a86a-6524-3fd7-9dbf-338bc9d5a0a7.roa.html
> >
>
> Validity
> Not Before: Aug 18 04:00:00 2020 GMT
> Not After : Nov 20 05:00:00 2022 GMT
>
> Oh, I do see that the parent cert here is:
> <
> http://console.rpki-client.org/rpki.arin.net/repository/arin-rpki-ta/5e4a23ea-e80a-403e-b08c-2171da2157d3/f60c9f32-a87c-4339-a2f3-6299a3b02e29/5e9328a9-e1d2-45d8-bdb5-eefe152994f9.cer.html
> >
>
> which has:
> Validity
> Not Before: Oct 1 11:28:43 2019 GMT
> Not After : Oct 1 11:28:43 2029 GMT
>
> This is, I think, actually controlled by ARIN, it has the subordinate
> resources from ARIN -> this-org
> in it... so at least the content of this file is generated/maintained
> by the parent (RIR in this case).
>
> > On Fri, Nov 20, 2020, 6:55 AM Ca By <cb.list6@gmail.com> wrote:
> >>
> >> Hello folks,
> >>
> >> I use ARIN hosted RPKI to publish ROAs
> >>
> >> The ROAs have an expire date
> >>
> >> How do i rotate the cert to push out the expiration date? Does ARIN do
> this for me?
> >>
> >> Thanks!
>