29 lines
No EOL
786 B
Markdown
29 lines
No EOL
786 B
Markdown
# Updating the Expiry Data of an RPKI Root Cert
|
|
|
|
First, go to the place the cert should be living
|
|
|
|
```
|
|
cd /usr/share/rpki/publication
|
|
```
|
|
|
|
Then extract a new cert with a shiny new expiration.
|
|
|
|
```
|
|
rpkic extract_root_certificate --output_file foo.cer
|
|
```
|
|
|
|
Get the key of the new cert and the old cert and compare them
|
|
|
|
```
|
|
openssl x509 -inform DER -in foo.cer -noout -pubkey >foo.key
|
|
openssl x509 -inform DER -in root.cer -noout -pubkey >old.key
|
|
diff -qs foo.key old.key
|
|
```
|
|
|
|
If they're the same, then the foo.cer you just extracted is the replacement for your old root.cer (in which case you might want to set up a cron job to extract it to the old filename, every few months).
|
|
|
|
finally
|
|
|
|
```
|
|
cat /usr/share/rpki/publication/altCA.cer > /usr/share/rpki/tal/root.cer
|
|
``` |