How to Issue ROA in ARIN

Generating a ROA Request Key Pair in ARIN

ARIN recommends creating the key pair using OpenSSL; however, note that you can also use other methods.

OpenSSL> genrsa -out orgkeypair.pem 2048

When using an alternate method to generate your key pair, be sure to generate a key pair that fulfills these requirements:

  • It is an RSA key pair
  • It is 2048 bits in length
  • It uses the public exponent F4

Extracting the Public Key

Once you create the key pair, you can extract the public key using the following command:

OpenSSL> rsa -in orgkeypair.pem -pubout -outform PEM -out org_pubkey.pem

This command copies the public key from the ROA Request Key Pair to a file called org_pubkey.pem. You can then find the private key in orgkeypair.pem and the public key in org_pubkey.pem.

NOTE: Do not share the private key. Keep it private.

Submitting a Certificate Request

To submit a certificate request, follow these instructions.

  1. Log in to ARIN Online and go to the navigation menu > Your Records > Organization Identifiers.
  2. Select the organization for which you’d like to set up RPKI.
  3. Go to Actions > Manage RPKI.
  4. Select Configure Hosted from the Hosted RPKI section.
  5. Read and agree to the RPKI Terms of Service (not required for resources covered by an RSA version 12 or greater.)
  6. Click Continue.
  7. In the Public Key area, paste your newly created public key.
  8. Click Submit.

Once you complete the steps, a request will be sent to ARIN for a resource certificate covering your Internet number resources. Any measures taken in response to your request will be notified to you via ARIN Online.

Accessing Your Resource Certificates

Once ARIN generates a resource certificate for you, you can find it in two ways.

View the information via the Manage RPKI page:

  1. Log in to ARIN Online.
  2. Go to Your Records > Organization Identifiers. 
  3. Pick the organization for which you want to create RPKI.
  4. Select Actions and choose Manage RPKI.
  5. Select the link with your current certificate. In the body of the page, the resource certificate information will be displayed.

Download the certificate file using an ARIN ticket:

  1. Log in to ARIN Online.
  2. Choose Tickets from the navigation menu.
  3. Find the ticket that was created by your resource certificate. Your resource certificate will be listed in the Attached Files section.

Creating ROA in ARIN

1. Log in to ARIN Online.

2. In the menu on the left, click Your Records > Organization Identifiers.

Organization Identifiers menu highlighted in ARIN's Account Manager menu.

3. Click on the Org ID for which you want to configure RPKI (for example, ABC-123).

An example of an Org Handle in ARIN's Organizations Identifiers menu.

4. Click Actions > Manage RPKI.

Actions drop-down menu with the Manage RPKI option in ARIN's Organization menu.

5. Click Create ROA.

6. Fill in the required fields.

  • ROA Name – give your ROA a meaningful name
  • Origin AS – provide the number of the AS you want to authorize to announce your IPs (Heficed’s AS number is 61317)
  • Start Date and End Date – specify the time period for which you want your ROA to be valid
  • Prefixes – type the address prefix you want to authorize to announce
  • Private Key – browse and select the private key you generated earlier

NOTE: Heficed requires you to use 24 as the most specific prefix.

Example

Let’s say that ARIN allocated to your IP address space is 10.10.0.0/22. You want to authorize Heficed to announce this address space and its more specific prefixes (like 10.10.1.0/24 or 10.10.3.0/23). You want your ROA to be valid for 2 years.

Create a Route Origin Authorization menu in ARIN's Online portal.

Do not forget to click Next Step to complete the creation of ROA in ARIN.

Related articles:

Was this article helpful?

Still need help?

Heficed Slack Community

Get involved in Heficed Slack community. Get updates, ask questions, connect with peers.

Heficed Slack

Need support?

If you need any further help, don't hesitate to send a support request to our support team.