Registering with a Parent

As mentioned in RIR and NIR Interactions in order to join the RPKI you will need to register your CA with a parent in the hierarchy. Typically that will be an RIR or NIR, but as mentioned in the introduction it could also be a parent within your business.

To register with an RPKI parent you need to exchange RFC 8183 XML files with the parent via their web portal or API.

Scenarios

Krill CA -> NIR/RIR Remote CA

Registering a Krill CA as a child with a remote Krill CA may require that you log in to and interact with the a parent web portal, e.g.:

1. In the Krill UI copy/download the RFC 8183 Child Request.
2. In the NIR/RIR portal:
   • Paste/upload the RFC 8183 Child Request.
   • Copy/download the RFC 8183 Parent Response.
3. In the Krill UI paste/upload the RFC 8183 Parent Response.

Krill CA -> Krill Remote CA

Registering a Krill CA as a child of a remote Krill CA can be done with the following commands:

注釈

To complete the registration you will need the API token for the remote Krill CA, or the support of an admin willing to run commands against the remote Krill CA for you.

Communicating with the CA server Krill instance:
1. krillc parents request        Show RFC8183 Child Request XML.

Communicating with the remote Krill CA instance:
2. krillc children add remote    Add a child to a CA..
3. krillc children response      Show RFC8183 Parent Response XML.

Communicating with the CA server Krill instance:
4. krillc parents add remote     Add a parent to this CA.

Krill CA -> Krill Local CA

Registering a Krill CA as a child of a local "embedded" Krill CA can be done with the following commands:

Communicating with the CA server Krill instance:
1. krillc parents add embedded