RPKI Troubleshooting

OpenSSL is not working

  1. Do you have the correct version of OpenSSL installed? ARIN has tested and verified Key Pair generation with the following versions:
    • OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
    • OpenSSL 0.9.8x 10 May 2012
    • OpenSSL 1.0.1c 10 May 2012
  2. Did you type the steps exactly as they appear in the instructions for generating the key pair or signing a ROA?

My public key isn’t being accepted

  • Is the ROA Request Generation or Delegated RPKI Key Pair you generated an RSA Key Pair?
  • Is the key size 2048 bits?
  • Is the public exponent F4?
  • Are you providing only the public key?
  • Are you providing the PEM encoded version of the public key?

Note: If this problem persists, please open an Ask ARIN help desk ticket in ARIN Online or call 703-227-0660 for further assistance.

I don’t see a “Manage RPKI” option on my organization’s page in ARIN Online

You will not see this option if your resources:

  • Are not covered by a Registration Services Agreement (RSA) or Legacy RSA (LRSA)
  • Were not issued directly to your organization by ARIN

I can’t create a ROA

Are your resources covered by a resource certificate? In order for a ROA to be valid, each IP address included must be covered by the resource certificate. If any IP address (IPv4 or IPv6) in any ROA prefix is not covered by the resource certificate, the entire ROA is considered invalid and will not be signed.

Note: Your Autonomous System Numbers (ASNs) will be in your resource certificate. However, any Autonomous System (AS) may be authorized to originate your ROA prefixes.

My ROA request is invalid

There are many reasons that a ROA request could be considered invalid. Be sure that you:

  • Use the correct private key to sign your ROA request
  • Set version to “1”
  • Use a valid ROA submission date
    • The submission date cannot be more than one hour in the future and cannot be more than 24 hours in the past, and must be specified in terms of the number of seconds since January 1, 1970.
  • Include a trailing vertical bar | after each ROA prefix
    • You must include the vertical bar | even when you do not specify a maximum length. For example, each ROA prefix should look like either 10.10.0.0|16|| or 10.10.0.0|16|20|.
  • Remove the “AS” before your Autonomous System number
  • Use only letters, numbers, spaces and dash (-) characters in your ROA name
  • Enter validity start and end dates in “mm-dd-yyyy” format
  • Use a date within the validity date range of the resource certificate
    • To view the validity date range of a resource certificate, log in to ARIN Online and:
      • Select Your Records > Organization Identifiers
      • Select your organization
      • Select Actions > Manage RPKI
      • Select Hosted or Delegated RPKI
  • Remove any “newline” characters (\r\n or \n) after your ROA prefixes
  • Use a properly formatted signature (must use Secure Hash Algorithm [SHA] 256 with an RSA algorithm, and must be PEM encoded)

The private key of my ROA Request Generation Key Pair has been lost/compromised

If the private key of your ROA Request Generation Key Pair is lost or compromised, you will not be able to submit new ROA Requests for your existing resource certificate. ARIN uses your public key (matching that private key) to verify your ROA Requests. Without that private key, you will not be able to sign any new ROA Requests. Additionally, if your private key is compromised, any other party may submit ROA Requests as if they were you, compromising the very security enhancement RPKI is designed to offer.

You may not alter an existing ROA Request Generation Key Pair. However, you may generate a new one, request a new resource certificate be issued, and provide a new public key to ARIN. All of your existing ROA requests must be then resubmitted, as they were invalidated when your original resource certificate was revoked.

The private key of my Delegated RPKI Key Pair has been lost/compromised

Delegated RPKI Key Pairs may not be altered. If you lose your Delegated RPKI private key, you will not be able to regenerate your manifest or create any new RPKI objects until you:

  1. Create an Ask ARIN help desk ticket in ARIN Online to request to have your current resource certificate deleted.
  2. Generate a new Key Pair.
  3. Request a new delegated resource certificate from ARIN using your new public key and your Base CA Production URI.
  4. Delete and recreate your Certificate Revocation List (CRL), your manifest, and all resource certificates and ROAs.

My RPKI repository has been compromised

Should your RPKI repository become corrupted, compromised, or inaccessible, you must:

  1. Create an Ask ARIN help desk ticket in ARIN Online to request to have your current resource certificate deleted.
  2. Generate a new Delegated RPKI Key Pair.
  3. Request a new delegated resource certificate from ARIN using your new public key and your Base CA Production URI.
  4. Delete and recreate all RPKI objects within your repository, including your Certificate Revocation List (CRL), your manifest, and all resource certificates and ROAs issued to your customers.

Resources have been added to or removed from my certificate

During the process of issuing or revoking Internet number resources, ARIN may add or remove them from your RPKI resource certificate as appropriate. If resources are removed, the resource certificate will reflect that change and ROA’s that no longer fit in that resource set will be removed. Additional resources will be added to the existing certificate and will not change the existing ROA’s. You then can add or modify new ROA’s at your leisure to reflect changes to your new resources. Some resources are not eligible to be certified in RPKI, such as:

  • Resources not issued directly from ARIN
  • Resources not covered by an RSA or LRSA agreement

Note: If you have signed up for RPKI and you believe that all or some of your resources are not properly covered by your certificate, please create a ticket using Ask ARIN in ARIN Online or by calling 703-227-0660 for further assistance.