[arin-tech-discuss] RPKI Hosted Certificate expiry

Mark Kosters markk at arin.net
Wed Nov 1 11:12:48 EDT 2017

Hi Andrew

That was a good question – one that merited a bit of research on our part. Here’s what we have.

Yes, ROAs can not be created with dates past the expiration of the hosted certificate. 

As for what to do when the time approaches where the hosted cert needs to be renewed, we are wondering what you (and others) would prefer as a way going forward?


On 10/23/17, 9:48 AM, "arin-tech-discuss on behalf of Andrew Gallo" <arin-tech-discuss-bounces at arin.net on behalf of akg1330 at gmail.com> wrote:

    A question came up at an Internet2 meeting concerning hosted RPKI.  
    Specifically- what happens at the expiration of the Hosted Certificate?
    I see that the hosted certificate has a 10-year validity period, and 
    ROAs can not be created with dates past the expiration of the Hosted 
    When the expiration of this certificate is approaching, what is the 
    procedure?  Do we need to re-request Hosted Access? Regenerate ROAs?  
    Will there be an overlap period where both the expiring and new 
    certificates & ROAs will both be valid (to avoid any gaps in coverage)?
    Thank you.
    arin-tech-discuss mailing list
    arin-tech-discuss at arin.net

More information about the arin-tech-discuss mailing list