Your IP address is

RPKI v1.0 Engine Deactivation

16 November 2015

On 29 May 2015, AFRINIC released an updated version of its RPKI core infrastructure (v2.0). AFRINIC is pleased to announce that by now, all members have already migrated their engine to the new platform, on which they have also created their ROAs. 33 members have activated their new engines with a total of 77 active ROAs.

The features of the new release are:

  • The AFRINIC Root certificate now covers 'ALL' resources managed by AFRINIC.
  • Members can now get all allocated/assigned resources certified.
  • Adoption of a new minority-majority certification model. Instead of using one certificate, AFRINIC now manages a split certificates set namely:
  1. AFRINIC-CA (Covers AFRINIC managed space for which AFRINIC is majority space holder)
  2. APNIC-TO-AFRINIC (Covers AFRINIC managed space for which APNIC is majority space holder)
  3. ARIN-TO-AFRINIC (Covers AFRINIC managed space for which ARIN is majority space holder)
  4. LACNIC-TO-AFRINIC (Covers AFRINIC managed space for which LACNIC is majority space holder)
  5. RIPE-TO-AFRINIC (Covers AFRINIC managed space for which RIPE is majority space holder)

AFRINIC has changed its repository structure from “flat” to “hierarchical”. All objects (certificates and ROAs) can be retrieved from one single URI (rsync://

  • Support for MAX LENGTH as stipulated by RFC6482 on the ROA format.
  • Compliance to RFC7318 on policy qualifiers.
  • Fix for the “Bad CMS SI signed attributes” issue in ROAs and manifest files.

AFRINIC is now proceeding with the deactivation of the old platform, which includes the following:








Activation of new engine and re-issuance of new ROAs

June – August 2015




Revocation of old ROAs

June – October 2015




Deactivation of old member engines

November 16, 2015

Old member repositories will not be available. Top-down validation will complain about missing folders

To Do


Deactivation of old production master engine

November 18, 2015

Old master repository will not be available. Top-down validation will complain about missing folders

To Do


AFRINIC Root Cycle

November 20, 2015


To Do


The deactivation of the old member engines and old master production engine will have an impact of TOP-DOWN validation. However, the impact will not have any consequence on the validation of the active ROAs that have all been created on the new platform. Errors in validation, as from Step 3, will be temporary and will disappear as soon step 5 is completed.

38 member certificates are involved in this migration process.

Progress on the deactivation process will be communicated to all stakeholders as and when needed. Should members or relying parties require additional information, please contact the AFRINIC RPKI team on  This e-mail address is being protected from spambots. You need JavaScript enabled to view it

up dns_supportup RPKI_projectup root_serverup nro