[RPKI] Invalid identity certificate: validation error with APNIC

Tim Bruijnzeels tim at nlnetlabs.nl
Tue Mar 31 19:18:57 UTC 2020

Hi Christopher,

This is because krill insists that the ID certificates be self signed. The RFC says things should be self signed but it’s not really an issue. So, we put in a change for this in 0.5.0 but overlooked one additional check.

This is fixed in the master branch if you are okay with living on the edge a bit. Otherwise we are planning to do the 0.6.0 release next week.

Kind regards

Sent from my iPhone

> On 31 Mar 2020, at 19:45, Christopher Munz-Michielin via RPKI <rpki at lists.nlnetlabs.nl> wrote:
> Hello,
> Trying to get Krill setup with my APNIC account, I've successfully submitted my identity file to APNIC and receivied the parent response, however, once I attempt to import the response krill just kicks back "Invalid RFC8183 XML: Invalid identity certificate: validation error"
> The response I got back from APNIC looks alright:
> <?xml version="1.0"?>
> <oob:parent_response xmlns:oob="http://www.hactrn.net/uris/rpki/rpki-setup/" version="1" service_uri="http://rpki.apnic.net/up-down/APNIC-AP/" parent_handle="APNIC-AP" child_handle="A912C8360000"><oob:parent_bpki_ta>MII....
> </oob:parent_bpki_ta></oob:parent_response>
> Though the oob: stuff looks a little strange.  I tried removing it but get the same error.
> This is the command I am attempting to run:
> krillc parents add remote --parent apnic --rfc8183 ./response.xml --ca FRC-CA
> I have also tried via the webGUI but it just kicks back "error 400"
> Krill version is 0.5.0
> Anyone managed to get krill working with APNIC?
> -- 
> RPKI mailing list
> RPKI at lists.nlnetlabs.nl
> https://lists.nlnetlabs.nl/mailman/listinfo/rpki

More information about the RPKI mailing list