Generating a ROA Request Key Pair

Before configuring hosted RPKI in ARIN Online, you must generate a ROA Request Key Pair. The term “key pair” refers to the two separate pieces of data (a public key and a private key) created using public key cryptography, a system used to secure data. As a hosted RPKI participant, you generate and use ROA Request Generation Key Pairs to secure your ROAs and resource certificate data and cryptographically verify your identity. Your public key is provided to ARIN and is used to cryptographically verify ROA Requests which have been signed by the corresponding private key.

Note: For ARIN Online users with authority over multiple organizations and their resources, it is highly recommended to use a separate ROA Request Generation Key Pair for each organization.

ROA Request Generation Key Pairs can be generated multiple ways. A recommended method is through OpenSSL using the following commands:

OpenSSL> genrsa -out orgkeypair.pem 2048

This command generates a ROA Request Generation Key Pair and saves it as a file named orgkeypair.pem.

Extracting the Public Key

After creating the key pair, you need to extract the public key so that you can enter it in ARIN Online:

OpenSSL> rsa -in orgkeypair.pem -pubout -outform PEM -out org_pubkey.pem

This command extracts the public key from the ROA Request Generation key pair and writes it to a file named org_pubkey.pem.

Your key pair is now in a file called orgkeypair.pem, and the public key is in org_pubkey.pem. The private key contained in the key pair file is not to be shared and should be kept secure.

If using an alternate method to generate your key pair, be sure to generate a key pair that:

  • Is an RSA key pair
  • Is 2048 bits in length
  • Uses the public exponent F4

The public key (contents of org_pubkey.pem) will look similar to the example below:

-----BEGIN PUBLIC KEY-----

MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzh/1Ws2aiqyxR0tqpkAC tLGhQMrkYfcxYl7BzxFaSEitdsNhxqNZjAt+IB/yQ9XEKaHL87cqmZlrtEGju0Dk QKym0onn3JXtS7S1OTRQbjWPN0k9/1HnP/R5xnQvGfaMOPm9S5If6DPr63109inX 5JXv4yNx/x8GZAT+RrhRW/I+PzmXVeSwc89LbADblpQR5x9x6173ncHUV+6UJr2M niBl7OcFW61jbGhTQSrb9xoUli7IyAciziESE6cG2gqw0fW/ZOo7pUToPaDAPxHJ vLq0uqtlpG5z3MpAoVibtdtuF9BF2dKHFF6TMwUKJaQ5EQZ+/iODk6CuWz6Q5iZN  
 GwIDAQAB

-----END PUBLIC KEY-----

Submitting a Certificate Request

ARIN generates a resource certificate for you when you submit your key pair. Resource certificates list a collection of Internet number resources (IPv4 addresses, IPv6 addresses, and Autonomous System Numbers [ASNs]) that are associated with a holder of those resources. They provide cryptographic validation that these resources belong to you. These certificates contain no identifying information about who the holder of the resources is; resource holders can prove their legitimacy using their private key to sign information such as a ROA Request. Relying parties can then validate these signed objects with the corresponding public key.

To submit a certificate request:

  1. Log in to ARIN Online and select Your Records > Organization Identifiers from the navigation menu.
  2. Choose the organization for which you want to configure RPKI.
  3. Choose Actions and select Manage RPKI. (Note: If you do not see this option, ensure that you meet the requirements for participation).
  4. In the Hosted RPKI Section, choose Configure Hosted.
  5. Read and agree to the RPKI Terms of Service. (Note: Not required for resources covered by an RSA version 12 or greater.)
  6. Choose Continue.
  7. Paste your public key that you created into the Public Key field.
  8. Choose Submit. This generates a ticketed request for ARIN to generate a resource certificate covering your Internet number resources. You’ll receive a notification in ARIN Online of any actions regarding your request.

Accessing Your Resource Certificates

After ARIN has generated a resource certificate for you, there are two ways to find it.

View the information from the Manage RPKI page:

  1. Log in to ARIN Online.
  2. Select Your Records > Organization Identifiers from the navigation menu.
  3. Choose the organization for which you want to configure RPKI.
  4. Choose Actions and select Manage RPKI.
  5. Select the link for your current certificate. The resource certificate information will be displayed in the body of the page.

To download the file from the ARIN ticket:

  1. Log in to ARIN Online.
  2. Select Tickets from the navigation menu.
  3. Find the ticket that was created when ARIN generated your resource certificate. Your resource certificate is listed in the Attached Files section of the ticket.

Creating ROA

  • Login with your account to ARIN Online https://account.arin.net
  • On the left menu click “Your Records” and then “Organisation Identifiers”:
  • Click on the Org ID for which you want to configure RPKI (for example ABC-123):
  • On the right – click on “Action” and then “Manage RPKI”:
  • Click on “Create ROA”
  • Fill in all the fields required:

ROA Name – give your ROA a meaningful name;
Origin AS – number of the AS you want to authorize to announce your IPs. Heficed’s AS number is 61317;
Start Date and End Date – specify the time period for which you want your ROA to be valid;
Prefixes – type the address prefix you want to authorize to announce.
Private Key – browse and select the private key you generated earlier.
Note that Heficed requires you to use "24" as most specific prefix.

Example:
Let’s say that ARIN allocated to you IP address space 10.10.0.0/22. You want to authorize Heficed to announce this address space and its more specific prefixes (like 10.10.1.0/24 or 10.10.3.0/23). You want your ROA to be valid for 2 years. Then your ROA creation screen should look like this:

Did this answer your question?