# Register ROA/RPKI with RIR

To register a ROA/RPKI (Route Origin Authorization / Resource Public Key Infrastructure) with a RIR (Regional Internet Registry) for the purpose of enabling BYOIP (Bring Your Own IP) on zenConsole, you need to validate your IP ownership and publishing your ROAs (Route Origin Authorizations).

## Prerequisites

1. Make sure your IPv4 addresses are allocated to you by your RIR (ARIN, RIPE NCC, APNIC, LACNIC, or AFRINIC).
2. Prepare your ASN (Autonomous System Number) that will announce the IPv4 block, and ASN of Zenlayer elastic compute service is “`62610`”.
3. RPKI/ROA validation is required to prevent route hijacking.

## Procedures

{% stepper %}
{% step %}

#### **Generate an RSA Private Key and Self-Signed X.509 Certificate**

To create an RSA private key and a self-signed X.509 certificate, you can use the following OpenSSL commands:

```bash
openssl genpkey -aes256 -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out private-key.pem
openssl req -new -x509 -key private-key.pem -out certificate.pem -days 365
```

During the execution of these commands, you will be prompted to set a password for the private key and provide certificate information, including:

* Country Name (C): Your country code (e.g., `US` for the United States).
* State or Province Name (ST): The full name of your state or province.
* Locality Name (L): Your city.
* Organization Name (O): The name of your organization.
* Organizational Unit Name (OU): The name of your organizational unit.
* Common Name (CN): The fully qualified domain name (FQDN) for which you're generating the certificate (e.g., `www.example.com`).

This process will generate two files:

* `private-key.pem`: The RSA private key.
* `certificate.pem`: The self-signed X.509 certificate.
  {% endstep %}

{% step %}

#### **Upload the Certificate to Your RIR's RDAP Record**

After generating the certificate, you need to upload it to your RIR's RDAP record:

1. Log in to your RIR's member portal (e.g., ARIN, RIPE NCC, APNIC, etc.).
   * ARIN Online: <https://account.arin.net>
   * RIPE NCC Access: <https://access.ripe.net>
   * MyAPNIC: <https://my.apnic.net>
   * MiLACNIC: <https://milacnic.lacnic.net>
   * MyAFRINIC: <https://my.afrinic.net>
2. Navigate to the IP prefix object that you wish to update.
3. Edit the object's remarks field.
4. Paste the contents of `certificate.pem` into the remarks field.
5. Submit the changes.

This action will associate your self-signed certificate with your IP prefix in the RIR's RDAP record.
{% endstep %}

{% step %}

#### **Create a ROA**

A ROA is a cryptographic attestation that your ASN is authorized to announce a specific IP prefix.

1. Determine your ASN (Autonomous System Number) that will announce the IPv4 block.
2. Navigate to the RPKI/ROA management section in the RIR portal, for example:
   * ARIN: “Resource Certificates / ROA”
   * RIPE NCC: “RPKI” → “Create ROA”
   * APNIC: “RPKI Manager”
3. Create a ROA:
   * Prefix: the IP block you want to bring to zenConsole.
   * Max length: usually matches your prefix length (e.g., `/24` for IPv4).
   * Origin ASN: the ASN that will announce the prefix, either yours or a cloud-provided ASN if required (ASN of Zenlayer is “`62610`”).
     {% endstep %}

{% step %}

#### **Publish the ROA**

Once the ROA is created, it will be digitally signed and published in the RPKI repository. Most cloud providers periodically validate ROAs against the global RPKI repository.
{% endstep %}

{% step %}

#### **Verify ROA Propagation**

Use tools like:

* RIPEstat: <https://stat.ripe.net/>
* RPKI Validator: <https://rpki-validator.ripe.net/ui/>

Ensure the ROA shows as **valid** for the prefix and ASN.
{% endstep %}
{% endstepper %}

{% hint style="info" %} <mark style="color:blue;">**Note**</mark>

* <mark style="color:blue;">Make sure your ROA</mark> <mark style="color:blue;">covers the exact prefix length you plan to announce. Mismatched max length can cause validation failures.</mark>
* <mark style="color:blue;">ROA creation can take minutes to hours to propagate in RPKI caches.</mark>
  {% endhint %}

## What to Do Next

You're recommended to [register the corresponding route object](/welcome/elastic-compute/get-started/manage-networking/advertise-byoip/register-a-route-object-in-the-irr.md) in IRR (Internet Routing Registry) before activating BYOIP.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.console.zenlayer.com/welcome/elastic-compute/get-started/manage-networking/advertise-byoip/register-roa-rpki-with-rir.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.