[arin-tech-discuss] RPKI Hosted Certificate expiry

[Owen DeLong]

IMHO I should be able to create a new certificate up to 1 year prior to expiration of the old one and during the overlap period, ROAs signed using either certificate should validate. 

Owen


> On Nov 1, 2017, at 19:12, Mark Kosters <markk at arin.net> wrote:
> 
> Hi Andrew
> 
> That was a good question – one that merited a bit of research on our part. Here’s what we have.
> 
> Yes, ROAs can not be created with dates past the expiration of the hosted certificate. 
> 
> As for what to do when the time approaches where the hosted cert needs to be renewed, we are wondering what you (and others) would prefer as a way going forward?
> 
> Thanks,
> Mark
> 
> On 10/23/17, 9:48 AM, "arin-tech-discuss on behalf of Andrew Gallo" <arin-tech-discuss-bounces at arin.net on behalf of akg1330 at gmail.com> wrote:
> 
>    Greetings:
> 
>    A question came up at an Internet2 meeting concerning hosted RPKI.  
>    Specifically- what happens at the expiration of the Hosted Certificate?
> 
>    I see that the hosted certificate has a 10-year validity period, and 
>    ROAs can not be created with dates past the expiration of the Hosted 
>    Certificate.
> 
>    When the expiration of this certificate is approaching, what is the 
>    procedure?  Do we need to re-request Hosted Access? Regenerate ROAs?  
>    Will there be an overlap period where both the expiring and new 
>    certificates & ROAs will both be valid (to avoid any gaps in coverage)?
> 
>    Thank you.
> 
>    _______________________________________________
>    arin-tech-discuss mailing list
>    arin-tech-discuss at arin.net
>    http://lists.arin.net/mailman/listinfo/arin-tech-discuss
> 
> 
> _______________________________________________
> arin-tech-discuss mailing list
> arin-tech-discuss at arin.net
> http://lists.arin.net/mailman/listinfo/arin-tech-discuss