OpenBSD manual page server

Manual Page Search Parameters

RPKI-CLIENT(8) System Manager's Manual RPKI-CLIENT(8)

rpki-clientRPKI validator to support BGP routing security

rpki-client [-ABcjmnoRrVv] [-b sourceaddr] [-d cachedir] [-e rsync_prog] [-H fqdn] [-S skiplist] [-s timeout] [-T table] [-t tal] [outputdir]

rpki-client [-Vv] [-d cachedir] [-j] [-t tal] -f file ...

The rpki-client utility queries the RPKI repository system with a built-in HTTPS client and openrsync(1) to fetch all X.509 certificates, manifests, and revocation lists under a given Trust Anchor. rpki-client subsequently validates each Signed Object by constructing and verifying a certification path for the certificate associated with the Object (including checking relevant CRLs). rpki-client produces lists of the Validated ROA Payloads (VRPs), (BRKs), and Validated ASPA Payloads (VAPs) in various formats.

The options are as follows:

Exclude the aspa-set in the OpenBGPD specific output file.
Create output in the files bird1v4, bird1v6, and bird (for bird2) in the output directory which is suitable for the BIRD internet routing daemon.
Tell the HTTP and rsync clients to use sourceaddr as the source address for connections, which is useful on machines with multiple interfaces.
Create output in the file csv in the output directory as comma-separated values of the , the prefix in slash notation, the maximum prefix length, an abbreviation for the Trust Anchor the entry is derived from, and the moment the VRP will expire derived from the chain of X.509 certificates and CRLs in seconds since the Epoch, UTC.
The directory where rpki-client will store the cached repository data. Defaults to /var/cache/rpki-client.
Use rsync_prog instead of openrsync(1) to fetch repositories. It must accept the -rt and --address flags and connect with rsync-protocol locations.
file ...
Decode the or validate the Signed Object in file against the RPKI cache stored in cachedir and print human-readable information about the object. If file is an rsync:// URI, the corresponding file from the cache will be used. This option implies -n, and can be combined with -j to emit a stream of .
Create a shortlist and add fqdn to the shortlist. rpki-client only connects to shortlisted hosts. The shortlist filter is enforced during processing of the Subject Information Access (SIA) extension in CA certificates, thus applies to both RSYNC and RRDP connections. This option can be used multiple times.
Create output in the file json in the output directory as JSON object. See -c for a description of the fields.
Create output in the file metrics in the output directory in OpenMetrics format.
Offline mode. Validate the contents of cachedir and write to outputdir without synchronizing via RRDP or RSYNC.
Create output in the file openbgpd in the output directory as bgpd(8) compatible input. If the -B, -c, and -j options are not specified this is the default.
Synchronize via RSYNC only.
Synchronize via RRDP. If RRDP fails, RSYNC will be used. This is the default. Mutually exclusive with -n.
Do not connect to hosts listed in the skiplist file. Entries in the skiplist are newline separated (FQDNs). A ‘#’ indicates the beginning of a comment; characters up to the end of the line are not interpreted. The skip filter is enforced during processing of the Subject Information Access (SIA) extension in CA certificates, thus applies to both RSYNC and RRDP connections. By default load entries from /etc/rpki/skiplist.
Terminate after timeout seconds of runtime, because normal practice will restart from cron(8). Disable by specifying 0. Defaults to 1 hour. Individual RSYNC/RRDP repositories are timed out after one fourth of timeout. All network synchronisation tasks are aborted after seven eights of timeout.
For BIRD output generated with the -B option use table as roa table name instead of the default 'ROAS'.
Specify a Trust Anchor Location (TAL) file to be used. This option can be used multiple times to load multiple TALs. By default rpki-client will load all TAL files in /etc/rpki.
Show the version and exit.
Increase verbosity. Specify once for synchronisation status, twice to print the name of each file as it's processed. If -f is given, specify once to print more information about the encapsulated X.509 certificate, twice to print the certificate in PEM format.
The directory where rpki-client will write the output files. Defaults to /var/db/rpki-client/.

By default rpki-client outputs validated payloads in -o (OpenBGPD compatible) format.

rpki-client should be run hourly by cron(8): use crontab(1) to uncomment the entry in root's crontab.

rpki-client utilizes the following environment variables:

URL of HTTP proxy to use.

default TAL files used unless -t tal is specified.
default skiplist file, unless -S skiplist is specified.
cached repository data.
default roa-set output file.

The rpki-client utility exits 0 on success, and >0 if an error occurs.

openrsync(1), bgpd.conf(5)

The following standards are used or referenced in rpki-client:

RFC 3370
Cryptographic Message Syntax (CMS) Algorithms.
RFC 3779
X.509 Extensions for IP Addresses and AS Identifiers.
RFC 4291
IP Version 6 Addressing Architecture.
RFC 4631
Classless Inter-domain Routing (CIDR): The Internet Address Assignment and Aggregation Plan.
RFC 5280
Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile.
RFC 5652
Cryptographic Message Syntax (CMS).
RFC 5781
The rsync URI Scheme.
RFC 5952
A Recommendation for IPv6 Address Text Representation.
RFC 6480
An Infrastructure to Support Secure Internet Routing.
RFC 6482, draft-ietf-sidrops-rfc6482bis-01
A Profile for Route Origin Authorizations (ROAs).
RFC 6485
The Profile for Algorithms and Key Sizes for Use in the Resource Public Key Infrastructure (RPKI).
RFC 6486
Manifests for the Resource Public Key Infrastructure (RPKI).
RFC 6487
A Profile for X.509 PKIX Resource Certificates.
RFC 6488
Signed Object Template for the Resource Public Key Infrastructure (RPKI).
RFC 6493
The Resource Public Key Infrastructure (RPKI) Ghostbusters Record.
RFC 7318
Policy Qualifiers in Resource Public Key Infrastructure (RPKI) Certificates.
RFC 8182
The RPKI Repository Delta Protocol (RRDP).
RFC 8209
A Profile for BGPsec Router Certificates, Certificate Revocation Lists, and Certification Requests.
RFC 8630
Resource Public Key Infrastructure (RPKI) Trust Anchor Locator.
RFC 9092
Finding and Using Geofeed Data.
RFC 9323
A Profile for RPKI Signed Checklists (RSCs).
A Profile for Autonomous System Provider Authorization (ASPA).
RPKI Signed Object for Trust Anchor Key.

rpki-client first appeared in OpenBSD 6.7.

The rpki-client utility was written by Kristaps Dzonsons <>.

January 18, 2023 OpenBSD-current