lack of a CRL in the CMS

[lixincnnic]

In the step of connecting CNNIC RPKI production environment and APNIC RPKI production environment，
We used "rpkic create_identity A9162E3D0000" to create identity.xml and sent to APNIC, APNIC said " lack of a CRL in the CMS." and CNNIC can not get resource list from APNIC.

So how to include a CRL in the CMS?

[sraustein]

As described, this transaction doesn't make sense: identity.xml doesn't contain CMS, and even if it did there would be no reason to include a CRL for a trust anchor. I suspect something has been left out of this report. -- Sent from a phone, please excuse brevity and typos.

[lixincnnic]

Thanks your reply.

I am from CNNIC,
I will describe my problem more clearly.

We use rpki-1.0,in the step connecting CNNIC RPKI production environment and APNIC RPKI production environment.
We do the following operation.

① On CNNIC side,we did
#rpkic create_identity A9162E3D0000
and sent A9162E3D0000.identity.xml to APNIC

And APNIC said "The A9162E3D0000.identity.xml attached to the email contains a BPKI TA certificate,
rather than a signing certificate. What is needed is the certificate that is being used to sign the messages sent over the provisioning protocol.

So my first problem is "how to generate the certificate?"

② APNIC sent us parent-response.xml,and on CNNIC side we do,
#rpkic -i A9162E3D0000 configure_parent parent-response.xml

③ On CNNIC side we do,
#rpkic -i A9162E3D0000 configure_publication_client ***
#rpkic -i A9162E3D0000 configure_repository ***

and then APNIC allocate resources for CNNIC，but CNNIC can't get resources from APNIC,
we modify models.py and CNNIC get resource successfully.

# diff -Nuar models.py-org models.py
--- models.py-org	2017-08-09 17:14:41.088684218 +0800
+++ models.py	2017-08-10 09:39:12.758301237 +0800
@@ -742,8 +742,7 @@
             keypair      = ca_detail.private_key_id,
             is_ca        = True,
             caRepository = ca.sia_uri,
-            rpkiManifest = ca_detail.manifest_uri,
-            rpkiNotify   = ca.parent.repository.rrdp_notification_uri)
+            rpkiManifest = ca_detail.manifest_uri)
         q_msg = self._compose_up_down_query("issue")
         q_pdu = SubElement(q_msg, rpki.up_down.tag_request, class_name = ca.parent_resource_class)
         q_pdu.text = pkcs10.get_Base64()

But after about one month，CNNIC can't get resources from APNIC again,
in the rpkid.log, we see the error as "HTTPError: HTTP 400: Bad Request".

And APNIC said " Your system appears to be reissuing
provisioning protocol signing certificates each month. As a result,
we will need to manually update our system whenever a new signing
certificate is issued, until your system is able to include CRLs with
the requests. Once CRLs are included, we can revert to using standard
certificate chain validation. "

So my second problem is "how to include CRLs with the requests"
and "how to deal with the fact that my system is reissuing
provisioning protocol signing certificates each month"

Thanks&Regards,

lixin

[sraustein]

APNIC is investigating, more when we hear back.

[ggm-at-apnic]

We're aware of a problem in APNIC code and we're working on it. I would suggest that the temporary fixes you applied should be removed.

[lixincnnic]

Yes，we had removed the temporary fixes.