Delegate to Child CAs

Krill supports delegating resources from your CA(s) to so-called child CAs. This function is primarily used by National Internet Registries (NIRs) that use Krill for their RPKI service. Most non-registry organisations will have no need for this function, as they simply have no members or customers to delegate resources to.

However, this function may still come in useful for example for larger organisations with many resources and complex organisational structure or customers who are in charge of using some of their IP or ASN resources.

There is no UI support for managing child CAs, but you can use the CLI krillc children subcommands to achieve this:

    krillc children [SUBCOMMAND]

    add            Add a child to a CA
    info           Show info for a child (id and resources)
    update         Update an existing child of a CA
    response       Show the RFC8183 Parent Response XML
    connections    Show connections stats for children of a CA
    suspend        Suspend a child CA: hide certificate(s) issued to child
    unsuspend      Suspend a child CA: republish certificate(s) issued to child
    remove         Remove an existing child from a CA