PaaS onboarding with Krill
The delegated CA may be configured in two different ways regarding the data it publishes: it can choose to maintain its own repositories (RRDP and rsync) or it can choose to publish its generated object to the parent, i.e. RIPE NCC CA. This document describes the second case - publishing data to the repository of the RIPE NCC CA. The published data ends up in the repository with the URL https://rrdp.paas.rpki.ripe.net/notification.xml.
This document assumes that the user is configuring Krill CA management software.
Click on the images to view them full size.
Creating a delegated CA
To create a delegated CA go to the RPKI Dashboard, select “Delegated" and click the “I accept. Create my Certificate Authority” button.
The next steps are necessary to do the identity exchange between the delegated CA and the RIPE NCC CA.
This child request XML can be downloaded from the Krill UI in the “Parents” tab. Press the download button and upload the resulting “child-request.xml” to the RPKI Dashboard.
Krill UI
RPKI Dashboard
Download the server identity XML file from the RPKI Dashboard by clicking the “Download this server's identity xml file (used to configure your local Certificate Authority)” link, upload the XML file in the Krill UI and press ‘Confirm’.
Press the ‘Provision new repository’ in the RPKI Dashboard to go to the publisher request upload form. In Krill UI, in the “Repository” tab download the publisher_request.xml and upload it to the RPKI Dashboard upload form.
Download another identity XML file (this time the repository identity) clicking the download link in the table of publication points (marked in red in the screenshot below).
Upload it to Krill UI
At this stage, the publication point in the RIPE NCC repository should be setup. To see the results immediately, click on 'Refresh repository' on the Repository tab in the Krill UI. The ROA and Parent tabs should show the current set of ROAs and some information about the Parent CA.
Removing a delegated CA
If you need to delete the CA and start from scratch, it is recommended to proceed as follows:
- Revoke the delegated CA:To revoke (or revoke and re-create) a delegated CA, click the ‘Revoke delegated CA’ link in the RPKI Dashboard.
- Delete the content of the Krill data directory (the one mentioned on https://krill.docs.nlnetlabs.nl/en/stable/install-and-run.html#generate-configuration-file).
To migrate an existing Krill installation to the publication service provided by the RIPE NCC, it is recommended to follow the steps in the Krill documentation.