[DBWG] Nonconformant X.509 issuer+subject names in some Afrinic RPKI CA/EE certs
Job Snijders
job at bsd.nl
Fri Dec 12 14:49:12 UTC 2025
Dear AFRINIC,
On Fri, Dec 12, 2025 at 03:24:46PM +0400, Yogesh Chadee via DBWG wrote:
> AFRINIC has taken note of this matter. For the sake of clarity, a fix
> was applied in June 2024 and the number of non-compliant X.509 RPKI
> Certificates at AFRINIC has dropped since.
I wish to express my appreciation for all the work that has gone into
the restoration effort so far. Thank you for applying a fix to prevent
issues going forward.
> To accelerate the depletion of non-conformant X.509 RPKI Certificates
> at AFRINIC, AFRINIC will:
>
> 1. Publish an article online about this matter and detail the steps for an
> end user to revoke a non-compliant X.509 RPKI Certificate;
> 2. Use its usual communication channels to its Members and the Community to
> raise awareness on the matter; and
> 3. Open a Helpdesk to aid end users.
>
> We hope this will soon put this issue behind us.
>From the above, it seems like it will be incumbent upon the affected
resource holders to delete their ROAs and recreate all their ROAs. Am I
understanding this correctly?
Would it not be more convenient for everyone involved (and less prone to
error), if AfriNIC, as operator of the Certification Authorities, takes
upon itself the task of reissuing non-compliant ROAs?
Kind regards,
Job
More information about the DBWG
mailing list