[RPKI] How to generate a .tal file of the embedded ta

Ximon Eighteen ximon at nlnetlabs.nl
Wed Jun 3 09:16:41 UTC 2020 

Of course this:

 > $ https://ca.tatest.krill.cloud/ta/ta.cer

Should have been:

 > $ wget -qO- https://ca.tatest.krill.cloud/ta/ta.cer

Ximon

On 03-06-2020 11:14, Ximon Eighteen via RPKI wrote:
> Good morning Cathy,
> 
> Please find specific answers to your questions inline below. First, let 
> me just say thanks for using Krill and for reaching out with questions, 
> it's always great to see Krill being used and to get input from the 
> community.
> 
> Please note that while Krill is indeed capable of acting as a **test** 
> Trust Anchor and serving a **test** Trust Anchor Locator file, this was 
> intended mainly for our own internal testing purposes, for example the 
> Krill end-to-end test [1] uses the TA and TAL with Routinator as you 
> intend to do.
> 
> As this was primarily created for internal testing purposes it is not 
> currently well documented but we hope to spend some time reviewing and 
> improving the Krill documentation in general over the coming weeks. It 
> also means that there are some limitations at present, e.g. the TAL only 
> supports HTTPS, not Rsync, the resources assigned to the TA are 
> hard-coded and cannot be changed, and when you set "use_ta = true" Krill 
> currently assumes that you have also set "repo_enabled = true". For the 
> E2E test we do work around the lack of Rsync support in the TAL in order 
> to test with other Relying Party software that don't/didn't support 
> RRDP, but it's not a very nice hack.
> 
> As a side note, if you are amenable to running Krill on DigitalOcean or 
> Amazon Web Services, you might find Krill Manager [2] helpful for this, 
> as it can set up Krill as a repository server for you (one child CA 
> pre-created, repo_enabled = true, with NGINX (for RRDP) + Let's Encrypt 
> certificate and Rsyncd already setup and running), you just have to set 
> "use_ta = true" and restart Krill, e.g. I just setup 
> https://(ca|rrdp|rsync).tatest.krill.cloud/ in DigitalOcean using Krill 
> Manager with "use_ta = true".
> 
> See more information inline below. Please feel free to ask if you have 
> any more questions.
> 
> Ximon
> 
> ---
> 
> [1] 
> https://github.com/NLnetLabs/krill/actions?query=workflow%3A%22E2E+Test%22
> [2] https://rpki.readthedocs.io/en/latest/krill/krillmanager/
> 
> On 03-06-2020 10:02, zhangcuiling via RPKI wrote:
>> Hi all,
>>
>> I'd like to run a test environment with krill as CAs (embedded ta and 
>> a created sub CA) and routinator as RP.
>  >
>>
>> It seems that there is no .tal file of the embedded ta. So I need to 
>> create one for RP.
> 
> There is indeed a TAL, if you have set "use_ta = true" in krill.conf and 
> restarted Krill. It will be served at the service URI with /ta/ta.tal 
> appended.
> 
> When running behind a proxy such as NGINX this will be available at the 
> external URL and port. If not using a proxy then it will be served at 
> the Krill domain and port, e.g. https://localhost:3000/ta/ta.tal, 
> depending on the settings in your krill.conf file.
> 
> E.g. for my deployment in DigitalOcean the service_uri is set to 
> "https://ca.tatest.krill.cloud/" and the TAL is available here:
> 
> $ wget -qO- https://ca.tatest.krill.cloud/ta/ta.tal
> https://ca.tatest.krill.cloud/ta/ta.cer
> 
> MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtTMuQLdhkZPJlitmb7J+
> G7JHa7I0dWgAS9OPO9eada4zS+u5Z2SAYmyRoJopJJ53w64D2mqhpiWyKxoKa0b8
> HHnapMZ/6SSKnyb2Z2UVOjvnMUNvRs14fY1MJpN7XYgca4tUNO8xxHdahudVjOso
> SgNpv1qsTxz0A+vMRPWwcdbvtJ95tiqs9JftW8PE8Uw1pQSzYPcIY86lgCF2NiJK
> Vc9v5ythsYG0DaN5ogb6hD/l87Tuf1NY0yAVVwCgFEZx+QCVtkJDmttRDsgQ66I5
> 5J8k4Z8TMtZQ7ZkvypkdtII/ozyMAEOCxt7wtepg2OUzifpu+MkflHYgm6oJ0chU
> wwIDAQAB
> 
>>
>> But I can't find the .cer file of the embedded ta.
> 
> See /ta/ta.cer, e.g.:
> 
> $ https://ca.tatest.krill.cloud/ta/ta.cer
> <snip -- binary content>
> 
>> Is there a method to get the .cer file of .tal file of the embedded ta?
> 
> One quick way to test Routinator with a Krill TA is like so:
> 
> $ docker volume create routinator-tals
> $ docker run --rm -v routinator-tals:/mnt alpine wget -qO/mnt/krill.tal 
> https://ca.tatest.krill.cloud/ta/ta.tal
> $ docker run --rm -v routinator-tals:/home/routinator/.rpki-cache/tals 
> nlnetlabs/routinator vrps
> ASN,IP Prefix,Max Length,Trust Anchor
> AS64496,10.0.0.0/24,24,krill
> 
> The Krill instance was setup using Krill Manager with own repo enabled 
> and a CA named "ca", then "use_ta = true" was added to krill.conf and 
> Krill was restarted. Then these krillc commands were used:
> 
> $ krillc parents request --ca ca > /tmp/child_request.xml
> $ krillc children add remote --ca ta --child ca --ipv4 "10.0.0.0/8" 
> --ipv6 "2001:DB8::/32" --rfc8183 /tmp/child_request.xml > 
> /tmp/parent-resp.xml
> $ krillc parents add remote --ca ca --parent ta --rfc8183 
> /tmp/parent-resp.xml
> $ echo "A: 10.0.0.0/24 => 64496" > /tmp/roas.delta
> $ krillc roas update --ca ca --delta /tmp/roas.delta
> 
> You can see the produced content like so:
> 
> $ rsync --list-only rsync://rsync.tatest.krill.cloud/repo/ca/0/
> drwxr-xr-x          4,096 2020/06/03 09:03:38 .
> -rw-r--r--          2,276 2020/06/03 09:03:38 
> 31302e302e302e302f3234203d3e203634343936.roa
> -rw-r--r--            474 2020/06/03 09:03:38 
> B9C8D9271D77592B9CA066AAE8353161D81ADF97.crl
> -rw-r--r--          2,499 2020/06/03 09:03:38 
> B9C8D9271D77592B9CA066AAE8353161D81ADF97.mft
> 
> $ wget -qO- https://rrdp.tatest.krill.cloud/rrdp/notification.xml
> <notification xmlns="http://www.ripe.net/rpki/rrdp" version="1" 
> session_id="77dc7be9-fe10-4197-8286-1d7e5ca6760f" serial="4">
>    <snapshot 
> uri="https://rrdp.tatest.krill.cloud/rrdp/77dc7be9-fe10-4197-8286-1d7e5ca6760f/4/snapshot.xml" 
> hash="ceff9918f2ae47b0bc90cc2e81ada0d804739163f461ad5cd21486f4151a3b8c" />
>    <delta serial="4" 
> uri="https://rrdp.tatest.krill.cloud/rrdp/77dc7be9-fe10-4197-8286-1d7e5ca6760f/4/delta.xml" 
> hash="b5f98c01a1752267ced951e99d8be7811df8b067cbd5f3d33fd9a4bac5f53280" />
>    <delta serial="3" 
> uri="https://rrdp.tatest.krill.cloud/rrdp/77dc7be9-fe10-4197-8286-1d7e5ca6760f/3/delta.xml" 
> hash="3cf184cbba34f12faf13661289642d4706fe7a4b702b4e90dd033693038d3cfd" />
>    <delta serial="2" 
> uri="https://rrdp.tatest.krill.cloud/rrdp/77dc7be9-fe10-4197-8286-1d7e5ca6760f/2/delta.xml" 
> hash="2d79c5d57945b11342f811581492d14551d44bd5f1c45afb923142969f66b232" />
>    <delta serial="1" 
> uri="https://rrdp.tatest.krill.cloud/rrdp/77dc7be9-fe10-4197-8286-1d7e5ca6760f/1/delta.xml" 
> hash="0f74c2cbc6213754917672aa595c618d4d4ad6925a04d1e95d87e5b745f9f6a3" />
> 
> 
> 
> 
>> Thanks a lot.
>>
>> Best wishes,
>>
>> Cathy
>>

More information about the RPKI mailing list