ARIN hosted RPKI key rotation

Christopher Morrow morrowc.lists at
Fri Nov 20 16:11:53 UTC 2020

On Fri, Nov 20, 2020 at 10:59 AM TJ Trout <tj at> wrote:
> I believe it's manual, ten years and you need to update the roa.

I don't think 10yrs is correct... I do think you'd be responsible for
re-publishing your content periodically though.
Looking at, quite a handy tool, job's for a
set of things that concern me, this one in particular:
  (one particular ROA)

            Not Before: Aug 18 04:00:00 2020 GMT
            Not After : Nov 20 05:00:00 2022 GMT

Oh, I do see that the parent cert here is:

which has:
            Not Before: Oct  1 11:28:43 2019 GMT
            Not After : Oct  1 11:28:43 2029 GMT

This is, I think, actually controlled by ARIN, it has the subordinate
resources from ARIN -> this-org
in it... so at least the content of this file is generated/maintained
by the parent (RIR in this case).

> On Fri, Nov 20, 2020, 6:55 AM Ca By <cb.list6 at> wrote:
>> Hello folks,
>> I use ARIN hosted RPKI to publish ROAs
>> The ROAs have an expire date
>> How do i rotate the cert to push out the expiration date?  Does ARIN do this for me?
>> Thanks!

More information about the NANOG mailing list