Resource Certification (RPKI)

What is Resource Certification?

Resource certification is a security framework that proves the association between specific IP address blocks or AS numbers (Internet number resources) and the holders of those Internet number resources. The certificates are proof of the resource holder’s right of use of their Internet number resources and can be validated cryptographically. Resource certification uses a framework called Resource Public Key Infrastructure (RPKI), which is based on an X.509 certificate profile defined in RFC3779.

Watch this video, which explains what Resource Certification is.

<Find out more about the NRO RPKI Program>

How Resource Certificates secure routing

Resource certificates are verifiable digital statements that an Internet number resource, such as a block of IPv4 or IPv6 addresses, or an Autonomous System Number (ASN) has been registered by that RIR. In technical terms, it is an X.509 certificate with “Extensions for IP Addresses and AS Identifiers”, as described in RFC3779.

Once a certificate is created, the holder can use it to create a Route Origin Authorization (ROA). This is a digital document stating that, as the holders of a given range of IP addresses, you allow those addresses to be routed by specific Autonomous Systems (AS). By using an automated system to check actual routes against those described in the repository of ROAs maintained by the RIR, network operators can work with a new level of certainty that the traffic they are receiving is coming from a legitimately registered network.

Are There Privacy Concerns About Certification?

Resource certification is intended to improve technical reliability and therefore it does not serve to verify a user’s identity. This means that a certificate does not contain any personal information or organization’s name.

Trust Anchor Locator

The single trust anchor is represented by a file called a ‘Trust Anchor Locator’ or TAL. It is very important that relying parties, who consume the products of the RIR RPKI system have this TAL configured into their validator.

The TAL file contains both the location of the RIR RPKI repository and the RIR public key, which is used to cryptographically verify that the RIR has signed the artifacts within the RIR repository. The TAL is used with an RPKI Validator to verify the certificates and ROAs within the RIR RPKI repository. This validated information can then be used to make routing decisions in your network.

You can find each RIR TAL file at: AFRINIC | APNIC | ARIN | LACNIC | RIPE NCC

The status of RPKI systems in the RIRs

• Check the “RPKI Systems” box in the AFRINIC Status Page
• Expand the “RPKI Service” section in the APNIC Status Page
• Expand the “Registry Services” and the “Provisioning Services” section in the ARIN Status Page
• LACNIC Status Page (Coming soon)
• Expand the “RPKI” section in the RIPE NCC Status Page

More information about RPKI

While RPKI is a cross-RIR project, each RIR provides specific information for resource holders in its region.

Find out more:  AFRINIC | APNIC | ARIN | LACNIC | RIPE NCC

Last modified on 27/08/2025