Issues with delegated CAs

Update timeline

1. identified May 04, 2026, 07:03 PM UTC

   We are currently investigating an issue that prevents delegated CAs from communicating with the RIPE NCC parent CA. This issue does not affect the validity of delegated CAs that already have a current certificate. Publication by delegated CAs is also unaffected. The BPKI TA certificate used in the RFC 8183 XML setup messages for delegated CAs, and the CRL included in RFC 6492 provisioning protocol messages signed by the RIPE NCC CA have expired. The impact is as follows: Delegated CAs cannot be configured at the moment Existing delegated CAs may see the following error message: "RFC 6492 Issue: CMS is not valid: CRL nextUpdate time in the past" Existing delegated CAs cannot request certificates for updated resources Existing delegated CAs cannot perform an RPKI key rollover As far as we understand, Krill verifies the validity period of the BPKI TA certificate during setup only, and then continues to trust the public key until it is told otherwise. Because of this we expect that the issues experienced by existing Krill CAs will be resolved when our system starts using updated CRLs in the RFC 6492 messages. We are working on a fix. Because the fix is non-trivial we expect that this issue may persist for the next 12 to 24 hours. We will provide a further update tomorrow morning.