Get Started with Krill¶
Before you can start managing your own ROAs you need to do a one time setup where you:
create your CA
connect to Publication Server
connect to Parent CA (typically a Regional or National Internet Registry)
This can be easily achieved using the user interface. Connecting to the Publication Server and Parent CA is done by exchanging a couple of XML files. After this initial setup, and you can simply manage your ROAs.
If you just want to try out Krill (or a new version) you can use the testbed environment provided by NLnet Labs for this.
If you are using the defaults you can access the user interface in a browser on
the server running Krill at
https://localhost:3000. By default, Krill generates
a self-signed TLS certificate, so you will have to accept the security warning
that your browser will give you.
If you want to access the UI, or use the CLI, from another computer, you can either set up a reverse proxy on your server running Krill, or set up local port forwarding with SSH, for example:
ssh -L 3000:localhost:3000 email@example.com
Here we will guide you through the set up process using the UI, but we will also link to the relevant subcommands of the command line interface (CLI)
To login to the web user interface using named users instead of the secret token, see Login with Named Users.
The login will ask you to enter the secret token you configured for Krill.
If you are using the CLI you will need to specify the token using the –token option. Because the CLI does not have a session, you will need to specify this for each command, or you set the the KRILL_CLI_TOKEN environment variable and save yourself the trouble of repeating it.
Before Krill can request a certificate from a parent CA, it will need to know where it will publish. You can add a parent before configuring a repository for your CA, but in that case Krill will postpone requesting a certificate until you have done so.
In order to register your CA as a publisher, you will need to copy the RFC 8183 Publisher Request XML and supply it to your Publication Server. You can retrieve this file with the CLI subcommand krillc repo request, or you can simply use the UI:
Your publication server provider will give you a repository response XML. You can use the CLI subcommand krillc repo update to tell add this configuration to your CA, or you can simply use the UI:
After successfully configuring the repository, the next step is to configure your parent CA. You will need to present your CA’s RFC 8183 Child Request XML file to your parent. You can get this file using the CLI subcommand krillc parents request, or you can simply use the UI:
Your RIR or NIR will provide you with a parent response XML. You can use the CLI subcommand krillc parents add for this, or you can simply paste or upload it using the UI: