Your IP address could not be determined at this time.

RPKI Troubleshooting

Signing up for RPKI

Why do I have to create a Key Pair to use RPKI?

Within Hosted RPKI, A ROA Request Generation Key Pair allows you to sign your ROA Requests in a way that enables ARIN to verify that they came from the correct organization and have not been tampered with. ROA Request signature verification takes place in a trusted environment on a Hardware Security Module (HSM) designed specifically for performing cryptographic operations. ARIN's HSM has been configured to only accept ROA Requests signed with a private key that corresponds with a public key linked to the customer submitting the request. No one else can create ROAs on your behalf.

Within Delegated RPKI, a Delegated RPKI Key Pair is required as a way of verifying the identity of the Delegated RPKI participant. The public key of this Key Pair is given to ARIN along with your Publication URI in order to obtain a delegated resource certificate. The private key of this Key Pair is not distributed, but rather used to sign certificates and ROAs for the customers of a Delegated RPKI participant.

Note: It is your responsibility to keep your private key a secret. If you have reason to believe that your private key has been compromised, please click here.

Why doesn't ARIN generate a ROA Request Generation or Delegated RPKI Key Pair for me?

ARIN will never have access to your private key for security purposes. Your private key should not be handled or seen by anyone other than you.

Why doesn't OpenSSL work for me?

  • Do you have the correct version of OpenSSL installed?
    • ARIN has tested and verified Key Pair generation with the following versions:
      • OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
      • OpenSSL 0.9.8x 10 May 2012
      • OpenSSL 1.0.1c 10 May 2012
  • Did you type the steps exactly as they appear in the instructions?

My public key isn't being accepted

  • Is the ROA Request Generation or Delegated RPKI Key Pair you generated an RSA Key Pair?
  • Is the key size 2048 bits?
  • Is the public exponent F4?
  • Are you providing only the public key?
  • Are you providing the PEM encoded version of the public key?

If this problem persists, please contact ARIN's Registration Services Department at hostmaster@arin.net or by calling 703.227.0660 for further assistance.

I cannot see a "Manage RPKI" option on my organization's page in ARIN Online

You will not see this option if your resources:

  • Are not covered by a Registration Services Agreement (RSA) or Legacy RSA (LRSA)
  • Consist of ineligible Early Registration Transfer (ERX) resources
  • Were not issued directly to your organization by ARIN

ROA Request submission

Why are there two ways to submit a ROA Request?

You are required to sign each ROA Request with your private key and paste the signed request into your browser. To help make this process easier, ARIN Online users are presented with a convenient HTML5 form, which will load your private key and sign your ROA Request for you. Only certain browsers support this feature. Please see the following section for more information. 

Why does ARIN require specific browser versions to sign a ROA Request in browser?

In order to sign your ROA Request and load your private key within your browser, ARIN uses the HTML5 file API. Your key is not transmitted over the network. ARIN's in-browser ROA Request signing function only supports Firefox version 3.6 or later, and Chrome version 6 or later. 

Why do I have to sign my ROA Requests?

To prevent unauthorized tampering or forgery, you must sign each ROA Request with the private key associated with the ROA Request Generation Key Pair that you generated when registering for RPKI participation. Signatures are verified in a trusted environment on a Hardware Security Module (HSM) designed to perform cryptographic operations.

Why can't I create a ROA?

Are your resources covered by a resource certificate? In order for a ROA to be valid, each IP address included MUST be covered by the resource certificate.  If any IP address (IPv4 or IPv6) in any ROA prefix is not covered by the resource certificate, the entire ROA is considered invalid and will not be signed.

Note: Your Autonomous System Numbers (ASNs) will be in your resource certificate. However, any Autonomous System (AS) may be authorized to originate your ROA prefixes.

My ROA Request is invalid. What did I do?

There are many reasons that a ROA Request could be considered invalid. Be sure that you:

  • Use the correct private key to sign your ROA Request
  • Set version to "1"
  • Use a valid ROA submission date
    • The submission date cannot be more than one hour in the future and cannot be more than 24 hours in the past, and must be specified in terms of the number of seconds since January 1, 1970.
  • Include a trailing vertical bar "|" after each ROA prefix
    • You must include the vertical bar "|" even when you do not specify a maximum length.  For example, each ROA prefix should look like either "10.10.0.0|16||" or "10.10.0.0|16|20|".
  • Remove the "AS" before your Autonomous System number
  • Use only letters, numbers, spaces and dash "-" characters in your ROA name
  • Enter validity start and end dates in "mm-dd-yyyy" format
  • Use a date within the validity date range of the resource certificate.
    • To view the validity date range of a resource certificate:
      • Log into ARIN Online
      • Select ORGANIZATION DATA
      • Select your organization
      • Select "manage rpki"
      • Select Hosted or Delegated RPKI
  • Remove any "newline" characters (\r\n or \n) after your ROA prefixes
  • Use a properly formatted signature (must use Secure Hash Algorithm (SHA) 256 with an RSA algorithm, and must be PEM encoded)

The private key of my ROA Request Generation Key Pair has been lost/compromised!

If the private key of your ROA Request Generation Key Pair is lost or compromised, you will not be able to submit new ROA Requests for your existing resource certificate. ARIN uses your public key (matching that private key) to verify your ROA Requests. Without that private key, you will not be able to sign any new ROA Requests. Additionally, if your private key is compromised, any other party may submit ROA Requests as if they were you, compromising the very security enhancement RPKI is designed to offer.

You may not alter an existing ROA Request Generation Key Pair. However, you may generate a new one, request a new resource certificate be issued, and provide a new public key to ARIN. All of your existing ROA Requests must be then resubmitted, as they were invalidated when your original resource certificate was revoked.

The private key of my Delegated RPKI Key Pair has been lost/compromised!

Delegated RPKI Key Pairs may not be altered. If you lose your Delegated RPKI private key, you will not be able to regenerate your manifest or create any new RPKI objects until you:

  • Using Ask ARIN, submit a request to have your current resource certificated deleted
  • Generate a new Key Pair
  • Request a new delegated resource certificate from ARIN using your new public key and your Base CA Production URI
  • Delete and recreate your Certificate Revocation List (CRL), your manifest, and all resource certificates and ROAs

My RPKI repository has been compromised!

Should your RPKI repository become corrupted, compromised, or inaccessible, you must:

  • Using Ask ARIN, submit a request to have your current resource certificated deleted
  • Generate a new Delegated RPKI Key Pair
  • Request a new delegated resource certificate from ARIN using your new public key and your Base CA Production URI
  • Delete and recreate all RPKI objects within your repository, including your Certificate Revocation List (CRL), your manifest, and all resource certificates and ROAs issued to your customers

How do I originate my resources out of multiple Autonomous Systems?

Each Route Origin Authorization (ROA) includes exactly one Autonomous System Number (ASN). Multiple ASNs may be authorized, but each one requires a separate ROA.

Resource Changes

My resources have changed. What do I do?

During the process of issuing or revoking Internet number resources, ARIN may add or remove them from your RPKI resource certificate as appropriate. If resources are removed, the resource certificate will reflect that change and ROA's that no longer fit in that resource set will be removed. Additional resources will be added to the existing certificate and will not change the existing ROA's. You then can add or modify new ROA's at your leisure to reflect changes to your new resources. Some resources are not eligible to be certified in RPKI, such as:

If you have signed up for RPKI and you believe that all or some of your resources are not properly covered by your certificate, please contact ARIN's Registration Services Department at hostmaster@arin.net or by calling 703.227.0660 for further assistance.

Advanced Search

Registration Services Help Desk

Interacting With ARIN

Monday through Friday
7:00 AM to 7:00 PM ET
Phone: +1.703.227.0660
Fax: +1.703.997.8844
Email: hostmaster@arin.net
Tips for Calling the Help Desk