How to generate a ROA Request Key Pair

ROA, or Route Origination Authorization, is a cryptographically signed object that helps indicate which AS can originate certain IP prefixes.

ARIN, one of the five RIRs, offers hosted RPKI services. This means that ARIN has the Certificate Authority (CA) to sign ROAs within its region. If you want to use ARIN’s hosted RPKI services, you need a ROA Request Key Pair.

The ROA Request Key Pair consists of a public key and a private key, and you need this pair to protect your ROAs and certificate data as well as for identification. ARIN uses the public key to verify ROA requests signed using the paired private key.

One of the ways to generate the ROA Request Key Pair is to use OpenSSL. Run the following command:

OpenSSL> genrsa -out orgkeypair.pem 2048

Once the ROA Request Key Pair is generated, it is saved in the orgkeypair.pem file.

How to extract the public key

Run the following command to extract your public key to the org_pubkey.pem file.

OpenSSL> rsa -in orgkeypair.pem -pubout -outform PEM -out org_pubkey.pem

Note: The private key remains in the orgkeypair.pem file. Do NOT share it.

How to submit a certificate request

Once the ROA Request Key Pair is submitted to ARIN, a resource certificate is created. This certificate lists Internet number recourses and validates ownership. A resource certificate does not contain the resource holder’s identifiable information, but they have a private key that can be used for validation purposes.

Follow these steps to submit a certificate request:

1. Log in to your ARIN account.

2. Go to Your Records -> Organization Identifiers.

3. Select the organization you want.

4. Expand the Actions menu and click Manage RPKI.

5. Move to Hosted RPKI and select Configure Hosted.

6. Accept the RPKI Terms of Service.

7. Click Continue.

8. Enter your public key into the Public Key field.

9. Click Submit, and ARIN will receive a request to generate a resource certificate for your Internet resources.

How to access your resource certificates

Use steps 1-4 represented in the guide above to access the Manage RPKI menu. Click the link to the certificate to access it.

You can also download the certificate file using the ticket that was created when your certificate was generated. To access the ticket, log in to your ARIN account, click Tickets, find the ticket you are looking for and click Attached files.

How to create ROA in ARIN

1. Log in to your ARIN account.

2. In the Dashboard on the left, click Your Records -> Organization Identifiers.

Organization Identifiers menu shortcut highlighted in ARIN's Dashboard.

3. Click the Org Handle that you want to configure RPKI for.

An example of an Org Handle in ARIN's Organizations Identifiers menu.

4. Expand the Actions menu and click Manage RPKI.

Actions menu expanded in ARIN's Organization menu.

5. Click Create ROA.

6. Provide the required information, including ROA Name, Origin AS, Start Date, End Date, Prefixes and Private Key.

7. Click Next Step and then Submit.

Example

This is how you would fill the form if ARIN allocated 10.10.0.0/22, you chose IPXO (ASN: 834) to announce this address space and its more specific prefixes (e.g., 10.10.1.0/24 or 10.10.3.0/23), and you wanted the ROA to be valid for two years starting 06-25-2021.

Note: IPXO requires you to use 24 as the most specific prefix.

ARIN's Create a Route Origin Authorization form.

Learn more