Provided by: rpki-client_9.5-1_amd64 
NAME
rpki-client — RPKI validator to support BGP routing security
SYNOPSIS
rpki-client [-0ABcjmnoRVvx] [-b sourceaddr] [-d cachedir] [-e rsync_prog] [-H fqdn] [-S skiplist]
[-s timeout] [-t tal] [outputdir]
rpki-client [-Vv] [-d cachedir] [-j] [-t tal] -f file ...
DESCRIPTION
The rpki-client utility queries the Resource Public Key Infrastructure (RPKI) repository system with a
built-in HTTPS client and rsync(1) to fetch all X.509 certificates, manifests, and revocation lists under
a given Trust Anchor. rpki-client subsequently validates each Signed Object by constructing and
verifying a certification path for the certificate associated with the Object (including checking
relevant CRLs). rpki-client produces lists of the Validated ROA Payloads (VRPs), BGPsec Router Keys
(BRKs), and Validated ASPA Payloads (VAPs) in various formats.
The options are as follows:
-0 Include hazardous AS0 TALs in the output files. AS0 TALs are not recommended for automatic
filtering of BGP routes. The default is not to include them.
-A Exclude the ASPA-set from the output files that support it (BIRD, JSON, and OpenBGPD).
-B Create output in the file bird in the output directory suitable for BIRD internet routing daemon
version 2.16 and up. For compatibility with earlier versions, use -A. The validated payload
table names are ROAS4, ROAS6, and ASPAS.
-b sourceaddr
Tell the HTTP and rsync clients to use sourceaddr as the source address for connections, which is
useful on machines with multiple interfaces.
-c Create output in the file csv in the output directory as comma-separated values of the Autonomous
System, the prefix in slash notation, the maximum prefix length, an abbreviation for the Trust
Anchor the entry is derived from, and the moment the VRP will expire derived from the chain of
X.509 certificates and CRLs in seconds since the Epoch, UTC.
-d cachedir
The directory where rpki-client will store the cached repository data. Defaults to
/var/lib/rpki-client/cache.
-e rsync_prog
Use rsync_prog instead of rsync(1) to fetch repositories. It must accept the -rt and --address
flags and connect with rsync-protocol locations.
-f file ...
Decode the TAL or validate the Signed Object in file against the RPKI cache stored in cachedir
and print human-readable information about the object. If file is an rsync:// URI, the
corresponding file from the cache will be used. This option implies -n, and can be combined with
-j to emit a stream of Concatenated JSON.
-H fqdn
Create a shortlist and add fqdn to the shortlist. rpki-client only connects to shortlisted
hosts. The shortlist filter is enforced during processing of the Subject Information Access
(SIA) extension in CA certificates, thus applies to both RSYNC and RRDP connections. This option
can be used multiple times.
-j Create output in the file json in the output directory as JSON object. See -c for a description
of the fields.
-m Create output in the file metrics in the output directory in OpenMetrics format.
-n Offline mode. Validate the contents of cachedir and write to outputdir without synchronizing via
RRDP or RSYNC.
-o Create output in the file openbgpd in the output directory as bgpd(8) compatible input. If the
-B, -c, and -j options are not specified this is the default.
-P posix-seconds
Specify the time for the evaluation in posix-seconds seconds from the unix epoch. This overrides
the default of using the current system time.
-R Disable RRDP, synchronize only via RSYNC.
-S skiplist
Do not connect to hosts listed in the skiplist file. Entries in the skiplist are newline
separated Fully Qualified Domain Names (FQDNs). A ‘#’ indicates the beginning of a comment;
characters up to the end of the line are not interpreted. The skip filter is enforced during
processing of the Subject Information Access (SIA) extension in CA certificates, thus applies to
both RSYNC and RRDP connections. By default load entries from /etc/tals/skiplist.
-s timeout
Terminate after timeout seconds of runtime, because normal practice will restart from the
systemd.timer(5) unit rpki.timer. Disable by specifying 0. Defaults to 1 hour. Individual
RSYNC/RRDP repositories are timed out after one fourth of timeout. All network synchronisation
tasks are aborted after seven eights of timeout.
-t tal Specify a Trust Anchor Location (TAL) file to be used. This option can be used multiple times to
load multiple TALs. By default rpki-client will load all TAL files in /etc/tals. TAL are small
files containing a public key and URL endpoint address.
-V Show the version and exit.
-v Increase verbosity. Specify once for synchronisation status, twice to print the name of each
file as it's processed. If -f is given, specify once to print more information about the
encapsulated X.509 certificate, twice to print the certificate in PEM format.
-x Enable processing of experimental file formats. This option is implied by -f.
outputdir
The directory where rpki-client will write the output files. Defaults to /var/lib/rpki-client.
By default rpki-client outputs validated payloads in -joBcm (JSON, OpenBGPD, BIRD, CSV and OpenMetric)
formats.
rpki-client by default is run every 15 minutes by the systemd.timer(5) unit rpki.timer.
TRUST ANCHOR CONSTRAINTS
rpki-client can impose locally configured constraints on cryptographic products subordinate to publicly-
trusted Trust Anchors.
Constraining a Trust Anchor's effective signing authority to a limited set of Internet Number Resources
allows Relying Parties to take advantage of the potential benefits of assuming trust, while deriving
trust within a bounded scope.
Each .constraints file imposes constraints on the Trust Anchor reachable via the same-named .tal file.
One entry per line. Entries can be IP prefixes, IP address ranges, AS identifiers, or AS identifier
ranges. Ranges are a minimum and maximum separated by a hyphen (‘-’). Comments can be put anywhere in
the file using a hash mark (‘#’), and extend to the end of the current line. deny entries may not
overlap with other deny entries. allow entries may not overlap with other allow entries.
A given EE certificate's resources may not overlap with any deny entry, and must be fully contained
within the allow entries.
ENVIRONMENT
rpki-client utilizes the following environment variables:
http_proxy URL of HTTP proxy to use.
FILES
/etc/tals/*.tal default TAL files used unless -t tal is specified. The TAL files of the
five Regional Internet Registries are included.
/etc/tals/*.constraints files containing registry-specific constraints to restrict what IP
addresses and AS identifiers may or may not appear in EE certificates
subordinate to the same-named Trust Anchor.
/etc/tals/skiplist default skiplist file, unless -S skiplist is specified.
/var/lib/rpki-client/cache cached repository data.
/var/lib/rpki-client/openbgpd default roa-set output file.
EXIT STATUS
The rpki-client utility exits 0 on success, and >0 if an error occurs.
SEE ALSO
rsync(1), bgpd.conf(5)
STANDARDS
X.509 Extensions for IP Addresses and AS Identifiers, RFC 3779.
Internet X.509 Public Key Infrastructure Certificate and CRL Profile, RFC 5280.
Cryptographic Message Syntax (CMS), RFC 5652.
The rsync URI Scheme, RFC 5781.
An Infrastructure to Support Secure Internet Routing, RFC 6480.
A Profile for Resource Certificate Repository Structure, RFC 6481.
A Profile for X.509 PKIX Resource Certificates, RFC 6487.
Signed Object Template for the RPKI, RFC 6488.
The RPKI Ghostbusters Record, RFC 6493.
Policy Qualifiers in RPKI Certificates, RFC 7318.
The Profile for Algorithms and Key Sizes for Use in the RPKI, RFC 7935.
The RPKI Repository Delta Protocol (RRDP), RFC 8182.
A Profile for BGPsec Router Certificates, Certificate Revocation Lists, and Certification Requests, RFC
8209.
RPKI Trust Anchor Locator, RFC 8630.
Manifests for the RPKI, RFC 9286.
A Profile for RPKI Signed Checklists (RSCs), RFC 9323.
A Profile for Route Origin Authorizations (ROAs), RFC 9582.
On the use of the CMS Signing-Time Attribute in RPKI Signed Objects, RFC 9589.
Finding and Using Geofeed Data, RFC 9632.
Same-Origin Policy for the RRDP, RFC 9674.
A Profile for RPKI Trust Anchor Keys, RFC 9691.
Detecting RRDP Session Desynchronization, RFC 9697.
A Profile for Autonomous System Provider Authorization (ASPA),
https://datatracker.ietf.org/doc/html/draft-ietf-sidrops-aspa-profile, Jun, 2023.
Constraining RPKI Trust Anchors, https://datatracker.ietf.org/doc/html/draft-snijders-constraining-rpki-
trust-anchors, September, 2023.
A profile for Signed Prefix Lists for Use in the RPKI, https://datatracker.ietf.org/doc/html/draft-ietf-
sidrops-rpki-prefixlist-02, Jan, 2024.
Relying Party Handling of RPKI CRL Number Extensions, https://datatracker.ietf.org/doc/html/draft-ietf-
sidrops-rpki-crl-numbers, May, 2024.
RPKI Manifest Number Handling, https://datatracker.ietf.org/doc/html/draft-ietf-sidrops-manifest-numbers,
June, 2024.
Tiebreaking RPKI Trust Anchors, https://datatracker.ietf.org/doc/html/draft-ietf-sidrops-rpki-ta-
tiebreaker, June, 2024.
HISTORY
rpki-client first appeared in OpenBSD 6.7.
AUTHORS
Kristaps Dzonsons <kristaps@bsd.lv>, Claudio Jeker <claudio@openbsd.org>, Theo Buehler <tb@openbsd.org>,
and Job Snijders <job@openbsd.org>.
Debian January 17, 2025 RPKI-CLIENT(8)