[RPKI] How to generate a .tal file of the embedded ta

Ximon Eighteen ximon at nlnetlabs.nl
Wed Jun 3 09:14:30 UTC 2020

Good morning Cathy,

Please find specific answers to your questions inline below. First, let 
me just say thanks for using Krill and for reaching out with questions, 
it's always great to see Krill being used and to get input from the 

Please note that while Krill is indeed capable of acting as a **test** 
Trust Anchor and serving a **test** Trust Anchor Locator file, this was 
intended mainly for our own internal testing purposes, for example the 
Krill end-to-end test [1] uses the TA and TAL with Routinator as you 
intend to do.

As this was primarily created for internal testing purposes it is not 
currently well documented but we hope to spend some time reviewing and 
improving the Krill documentation in general over the coming weeks. It 
also means that there are some limitations at present, e.g. the TAL only 
supports HTTPS, not Rsync, the resources assigned to the TA are 
hard-coded and cannot be changed, and when you set "use_ta = true" Krill 
currently assumes that you have also set "repo_enabled = true". For the 
E2E test we do work around the lack of Rsync support in the TAL in order 
to test with other Relying Party software that don't/didn't support 
RRDP, but it's not a very nice hack.

As a side note, if you are amenable to running Krill on DigitalOcean or 
Amazon Web Services, you might find Krill Manager [2] helpful for this, 
as it can set up Krill as a repository server for you (one child CA 
pre-created, repo_enabled = true, with NGINX (for RRDP) + Let's Encrypt 
certificate and Rsyncd already setup and running), you just have to set 
"use_ta = true" and restart Krill, e.g. I just setup 
https://(ca|rrdp|rsync).tatest.krill.cloud/ in DigitalOcean using Krill 
Manager with "use_ta = true".

See more information inline below. Please feel free to ask if you have 
any more questions.



[2] https://rpki.readthedocs.io/en/latest/krill/krillmanager/

On 03-06-2020 10:02, zhangcuiling via RPKI wrote:
> Hi all,
> I'd like to run a test environment with krill as CAs (embedded ta and a 
> created sub CA) and routinator as RP.
> It seems that there is no .tal file of the embedded ta. So I need to 
> create one for RP.

There is indeed a TAL, if you have set "use_ta = true" in krill.conf and 
restarted Krill. It will be served at the service URI with /ta/ta.tal 

When running behind a proxy such as NGINX this will be available at the 
external URL and port. If not using a proxy then it will be served at 
the Krill domain and port, e.g. https://localhost:3000/ta/ta.tal, 
depending on the settings in your krill.conf file.

E.g. for my deployment in DigitalOcean the service_uri is set to 
"https://ca.tatest.krill.cloud/" and the TAL is available here:

$ wget -qO- https://ca.tatest.krill.cloud/ta/ta.tal


> But I can't find the .cer file of the embedded ta.

See /ta/ta.cer, e.g.:

$ https://ca.tatest.krill.cloud/ta/ta.cer
<snip -- binary content>

> Is there a method to get the .cer file of .tal file of the embedded ta?

One quick way to test Routinator with a Krill TA is like so:

$ docker volume create routinator-tals
$ docker run --rm -v routinator-tals:/mnt alpine wget -qO/mnt/krill.tal 
$ docker run --rm -v routinator-tals:/home/routinator/.rpki-cache/tals 
nlnetlabs/routinator vrps
ASN,IP Prefix,Max Length,Trust Anchor

The Krill instance was setup using Krill Manager with own repo enabled 
and a CA named "ca", then "use_ta = true" was added to krill.conf and 
Krill was restarted. Then these krillc commands were used:

$ krillc parents request --ca ca > /tmp/child_request.xml
$ krillc children add remote --ca ta --child ca --ipv4 "" 
--ipv6 "2001:DB8::/32" --rfc8183 /tmp/child_request.xml > 
$ krillc parents add remote --ca ca --parent ta --rfc8183 
$ echo "A: => 64496" > /tmp/roas.delta
$ krillc roas update --ca ca --delta /tmp/roas.delta

You can see the produced content like so:

$ rsync --list-only rsync://rsync.tatest.krill.cloud/repo/ca/0/
drwxr-xr-x          4,096 2020/06/03 09:03:38 .
-rw-r--r--          2,276 2020/06/03 09:03:38 
-rw-r--r--            474 2020/06/03 09:03:38 
-rw-r--r--          2,499 2020/06/03 09:03:38 

$ wget -qO- https://rrdp.tatest.krill.cloud/rrdp/notification.xml
<notification xmlns="http://www.ripe.net/rpki/rrdp" version="1" 
session_id="77dc7be9-fe10-4197-8286-1d7e5ca6760f" serial="4">
hash="ceff9918f2ae47b0bc90cc2e81ada0d804739163f461ad5cd21486f4151a3b8c" />
   <delta serial="4" 
hash="b5f98c01a1752267ced951e99d8be7811df8b067cbd5f3d33fd9a4bac5f53280" />
   <delta serial="3" 
hash="3cf184cbba34f12faf13661289642d4706fe7a4b702b4e90dd033693038d3cfd" />
   <delta serial="2" 
hash="2d79c5d57945b11342f811581492d14551d44bd5f1c45afb923142969f66b232" />
   <delta serial="1" 
hash="0f74c2cbc6213754917672aa595c618d4d4ad6925a04d1e95d87e5b745f9f6a3" />

> Thanks a lot.
> Best wishes,
> Cathy

More information about the RPKI mailing list