[RPKI] Validity of RPKI certificates

Tim Bruijnzeels tim at nlnetlabs.nl
Tue May 24 11:01:37 UTC 2022

Dear Cristian,

Let me give a general reply here on-list, but if a follow-up is needed feel free to contact us directly at rpki-team at nlnetlabs.nl. If we find that there is a general issue with Krill then we will report back - and of course - make a fix asap.

Reply in-line:

> On 23 May 2022, at 17:57, Cristian Cardoso via RPKI <rpki at lists.nlnetlabs.nl> wrote:
> Hi
> I have a question regarding the RPKI certificates generated for my prefixes.
> I activated Krill 6 months ago, after 3 months I noticed that the validation certificates apparently expired with my publisher, I recreated my CA and the problem was resolved, now after 3 months it has happened again.

My guess is that the 'expired' certificates are not in fact the certificate issued to you by your parent - and published by them - but the manifest and CRL which your CA publishes.

As long as Krill is running it will keep re-issuing manifests and CRLs 8 hours (by default) before they would expire. The default validity time is 24 hours plus some random (minute grade) extra time between 0-12 hours.

If an observer sees that your manifest / CRL have expired, then the most likely cause would be that your CA is unable to publish in your publication server.

You can check the latest status in the "Repoistory" tab of the UI, or you can use CLI commands.

Example checking the repository connection status of our own nlnetlabs ca:

# krillc repo status --ca nlnetlabs
URI: https://prod-ps.krill.cloud/rfc8181/nlnetlabs/
Status: success
Last contacted: 2022-05-24T09:18:54+00:00
Last successful contact: 2022-05-24T09:18:54+00:00
Next contact on or before: 2022-05-25T09:34:52+00:00

Or you can check if there are any other issues, including issues connecting to a parent:

# krillc issues --ca nlnetlabs
no issues found

You can also check for issues connecting to a parent in the "Parents" tab in the UI, or you can use "krillc parents statuses --ca <myca>"

If you see connection issues here then you should probably contact your parent or repository server about this first.

If you would like to share your config file with us directly then I am also happy to have a look whether I can spot any timing configuration issues there. If you do, then please remove the "admin_token" - we don't need to know! And send it directly to rpki-team at nlnetlabs.nl please.

> I looked at Krill's documentation and found this https://krill.docs.nlnetlabs.nl/en/stable/ca-keyroll.html#key-life-cycle-background, I don't know if I understand it correctly but I must create something in the cron from the server to rollover?

A key rollover will not help here. And you do not need to cron anything - just make sure the Krill daemon keeps running. It will re-issue manifests and CRLs when they need to be re-issued, and if Krill can't connect to its parents or repository server for some reason, then it will just keep re-trying every couple of minutes.

I hope this helps!

Kind regards,


> -- 
> RPKI mailing list
> RPKI at lists.nlnetlabs.nl
> https://lists.nlnetlabs.nl/mailman/listinfo/rpki

More information about the RPKI mailing list