RIPE Database docs
Sidebar Navigation

Introduction to the RIPE Database

RIPE Database Documentation Overview

Intended Audience

Conventions Used in the RIPE Database Documentation

What is the RIPE Database

Purpose and Content of the RIPE Database

History of the RIPE Database

Personal Data Database Management and Reponsabilities

RIPE Database Structure

Database Object

Primary and Secondary Objects

List of Primary Objects

List of Secondary Objects

The Attributes in Database Objects

Attribute Names

Attributes in an Object

Attribute Values

Attribute Properties

How to Organise Your Data

REST API Data model

RPSL Object Types

Descriptions of Primary Objects

Descriptions of Secondary Objects

Available Databases

RIPE Database

TEST Database

Release Candidate Database

Experimental Databases

Update Methods

RESTful API

Webupdates

Syncupdates

Email Updates

Updating Objects in the RIPE Database

Format of the Update Message

Accessing the Object Templates

Object Processing

Update Operations

Historical Data

Special Considerations for Object Creation

Garbage Collection

Dry run

Set Objects

Notifications

Acknowledgment Message

Notification Messages

Authorisation

Authorisation Model

Using the Authorisation Methods

Security of Data Using Authorisation

Protection of PERSON and ROLE Objects

Protection of AUT NUM Object Space

Protection of Address Space

Protection of Route Object Space

Protection of Reverse Delegation Objects

Protection of Objects with Hierarchical Names

Protecting Membership of a Set

Referencing an ORGANIZATION Object

Referencing an IRT Object

IRT Object

Force Delete Functionality

Request ENUM delegation

Request DNSSEC delegation

How to Query the RIPE Database

The Structure of a Query

Web Query Form

RESTful API Queries

Command Line Queries

Query Responses

Registration Data Access Protocol

Access to Personal Data

Types of Queries

Queries Using Primary and Lookup Keys

Queries for IP Networks

Queries for Autonomous Systems

More and Less Specific Lookups For Reverse Domains

Inverse Queries

Abuse Contacts

Grouping the RIPE Database Output

Filtering the Query Reponse

IRR Toolset Support

Persistent Connections and Keeping State

Getting All the Members of Set objects

Access Control for Queries

RIPE NCC Global Resource Service

Other Query Flags

Referenced Objects in Query Response

Historical Queries

Related Software and Tools

Geolocation in the RIPE Database

RIPE Database Mirror

Setup RIPE Database Mirror

Near Real Time Mirroring v3

Near Real Time Mirroring v4

Access to NRTM

Tables of Query Types Supported by the RIPE Database

How to Recover Access to a Maintainer Object

Installation and Development

Getting started on macOS

Getting started on Ubuntu Linux

Building whois

Configure MariaDB

Coding standard

Installation instructions

Database Support

Support Overview

Clean up of Unreferenced Data

Database Security

Configuring Reverse DNS

Database Business Rules

Highlighted Values in the RIPE Database

Create First Role Mntner

Removal of personal data

Release Notes

FAQ

Appendices

Appendix A Syntax of Object Attributes

Appendix B Copyright Statement

Appendix C RIPE Database Query Server Response Codes and Messages

Appendix-D--Route-Object-Creation-Flowchart

Appendix-E--Domain-Object-Creation-Flowchart

Appendix F Special Considerations for Object Types

Appendix G Object Types with Personal Data

Appendix H PGP Authentication Method

Appendix I Client Certificate Authentication

Appendix J Ripe Test Database

Appendix K API Keys

Glossary

Legal Information

RIPE Database Acceptable Use Policy

HTML Terms And Conditions

All Documentation Combined

On this page

Appendix I- Client Certificate Authentication ​

Introduction ​

In this section, we provide an example of how to use client certificate authentication to make a Whois Update via the REST API.

One advantage of this method is that no secret is shared with the Whois server during the request. However, one drawback is that getting started is more complicated than other authentication methods.

Generate a Self-signed Certificate ​

First generate a self-signed x509 certificate using OpenSSL, along with a private key, in a single step.

$ openssl req -x509 -days 365 -newkey rsa:4096 -sha384 -subj "/C=NL/CN=ripe.net" -keyout client-key.pem -nodes -out client-cert.pem

A signed x509 certificate from a Certificate Authority can also be used, but Whois does not verify the trust path to the CA, only the signature against the certificate.

Convert Certificate to ASCII ​

Next display the certificate as ASCII, which is a base64 encoded version of the binary (PEM) certificate file, which is necessary to create a key-cert object.

$ openssl x509 -in client-cert.pem
-----BEGIN CERTIFICATE-----
MIIFITCCAwmgAwIBAgIUHD8QpV+IvEVs/pDVK3Ml63TNJUgwDQYJKoZIhvcNAQEM
BQAwIDELMAkGA1UEBhMCTkwxETAPBgNVBAMMCHJpcGUubmV0MB4XDTI0MDUxNDEz
NDQyNloXDTI1MDUxNDEzNDQyNlowIDELMAkGA1UEBhMCTkwxETAPBgNVBAMMCHJp
cGUubmV0MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAssEU+sbcX9YB
UH/qX9qbF63elLlLmYFZ2LR119qgqQqYQURO6onCimEJFlbL90c7TDkRcBoyMtzm
KP3kSuiIWOZpxGcmUtGnoiry9q5thxp60lZNad/Yi59PyTrs8DRo24ebPSKCa1FS
edpFYwP1b0o61ipDARGldx0qtbSXZOujxgicQTZxLjakMUKltjLczGN6lXpblM0a
vZNbL6tTNan3p5Y/0gAVBtvEQtAc0z2wqmzpWPmXmOs1nucIqRUlJoHwecmSN3zf
1lYwFn+baDOQpTo6oFttZYJfhWFvWLEKDw1nscvPeq0q9/yHVJpi54L7osPb/P0P
mI1CTtROe6fG5+zshHxolqdWNwdOJ1q1+/tMglzWq6NOpf5ZBK06wUrdygNl5Adi
7ToxNmFA1OUD8bx2FxyAEzByEOm46NOeNLwszn1hoTvtm1hJ7TAMKCnHbyEF67qh
uY6f8mJzeYO6PWTIl90vz2HCYcN9Ij6M4dsQA/w52kQ7Wld1xpRacaCVK+hC0W1J
lZeHaqCbwdfa4jgVXOGFrnnwU8Iy5H7b4U3ukx5hT9aq6mGA6W9VxcYRuArtlU1f
9iPYRtAVOebHnW6FNGdyGmoeofqOsZoXI21J8vq2o4JEEsz1vu+JtNgBcat7buYt
bUHrbF840tWsA8IgzMiQkIkfzy9meA8CAwEAAaNTMFEwHQYDVR0OBBYEFFLJKFpY
3vmlUVaQ9qgo59QRodfuMB8GA1UdIwQYMBaAFFLJKFpY3vmlUVaQ9qgo59QRodfu
MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEMBQADggIBAIX+S5jwBueCo3Ka
u+sqCr5eP2DZKmTrUEJPf5NW0k5FBKtmVzkBDXobL7ipctmlmehvEzF9gLgLJhnL
lekKdyWrgbunHTfeRFl1jxC8js1p4t9BNQ+wpqgom8/V1F9pNRGDzVDS5arok0OU
xoAThRqS22DX6JMSDmvTF/DnRZ71j1quLf7eUVjdLA8J1Dwvz4YfiYseQEvGAxvY
u3+ZrA1qScImHv1WERETskiAjy5GxpxMW19WIZtBJ3d3QTo4wIrsd050F9ecF2Zs
Up7/pcv+vNxr/TgfO1l9yuJzzDJyklaumkeOwWvqHz/t6SIisgxAMMFlvAiYvYgC
uh3UHrPEVG/x4Z5RNBqSb+7Mk08jGrVj5qUhtD6FyeJ53uOM1jQQEAZ+G1zsZZzw
x80fSveD5QXj5pzgzLvP0nlk3m5cJEu4FILtzVol1TX4QQXDdeYOCwNK2393ac56
vCxGxD4oqaYyZa3FzOrjWSDlBwhynd+OCq2PvIw7wLIYxq7UuZ77W3QL6/LRRzrs
X17yf8Ux8feNJwKke/L3mq6QBZ9wzoadK+XjTQYWQCbj6WlH9QEYpmFS/XCz5kfQ
sUI9iChbKvcWOFFPID+XMbzKMgbSvP6aBzOhbUz3b9Tn4qfn9Yp2YWpPci7RrvlK
lECvj7YuYAysqbZKiulSN6N3OKHd
-----END CERTIFICATE-----

Create Key-cert Object ​

Next use the ASCII encoded certificate to create a key-cert object in the RIPE database, using Syncupdates or Mailupdates. Use "AUTO-1" as a placeholder for the primary key.

key-cert:        AUTO-1   
certif: -----BEGIN CERTIFICATE-----
certif: MIIFITCCAwmgAwIBAgIUHD8QpV+IvEVs/pDVK3Ml63TNJUgwDQYJKoZIhvcNAQEM
certif: BQAwIDELMAkGA1UEBhMCTkwxETAPBgNVBAMMCHJpcGUubmV0MB4XDTI0MDUxNDEz
certif: NDQyNloXDTI1MDUxNDEzNDQyNlowIDELMAkGA1UEBhMCTkwxETAPBgNVBAMMCHJp
certif: cGUubmV0MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAssEU+sbcX9YB
certif: UH/qX9qbF63elLlLmYFZ2LR119qgqQqYQURO6onCimEJFlbL90c7TDkRcBoyMtzm
certif: KP3kSuiIWOZpxGcmUtGnoiry9q5thxp60lZNad/Yi59PyTrs8DRo24ebPSKCa1FS
certif: edpFYwP1b0o61ipDARGldx0qtbSXZOujxgicQTZxLjakMUKltjLczGN6lXpblM0a
certif: vZNbL6tTNan3p5Y/0gAVBtvEQtAc0z2wqmzpWPmXmOs1nucIqRUlJoHwecmSN3zf
certif: 1lYwFn+baDOQpTo6oFttZYJfhWFvWLEKDw1nscvPeq0q9/yHVJpi54L7osPb/P0P
certif: mI1CTtROe6fG5+zshHxolqdWNwdOJ1q1+/tMglzWq6NOpf5ZBK06wUrdygNl5Adi
certif: 7ToxNmFA1OUD8bx2FxyAEzByEOm46NOeNLwszn1hoTvtm1hJ7TAMKCnHbyEF67qh
certif: uY6f8mJzeYO6PWTIl90vz2HCYcN9Ij6M4dsQA/w52kQ7Wld1xpRacaCVK+hC0W1J
certif: lZeHaqCbwdfa4jgVXOGFrnnwU8Iy5H7b4U3ukx5hT9aq6mGA6W9VxcYRuArtlU1f
certif: 9iPYRtAVOebHnW6FNGdyGmoeofqOsZoXI21J8vq2o4JEEsz1vu+JtNgBcat7buYt
certif: bUHrbF840tWsA8IgzMiQkIkfzy9meA8CAwEAAaNTMFEwHQYDVR0OBBYEFFLJKFpY
certif: 3vmlUVaQ9qgo59QRodfuMB8GA1UdIwQYMBaAFFLJKFpY3vmlUVaQ9qgo59QRodfu
certif: MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEMBQADggIBAIX+S5jwBueCo3Ka
certif: u+sqCr5eP2DZKmTrUEJPf5NW0k5FBKtmVzkBDXobL7ipctmlmehvEzF9gLgLJhnL
certif: lekKdyWrgbunHTfeRFl1jxC8js1p4t9BNQ+wpqgom8/V1F9pNRGDzVDS5arok0OU
certif: xoAThRqS22DX6JMSDmvTF/DnRZ71j1quLf7eUVjdLA8J1Dwvz4YfiYseQEvGAxvY
certif: u3+ZrA1qScImHv1WERETskiAjy5GxpxMW19WIZtBJ3d3QTo4wIrsd050F9ecF2Zs
certif: Up7/pcv+vNxr/TgfO1l9yuJzzDJyklaumkeOwWvqHz/t6SIisgxAMMFlvAiYvYgC
certif: uh3UHrPEVG/x4Z5RNBqSb+7Mk08jGrVj5qUhtD6FyeJ53uOM1jQQEAZ+G1zsZZzw
certif: x80fSveD5QXj5pzgzLvP0nlk3m5cJEu4FILtzVol1TX4QQXDdeYOCwNK2393ac56
certif: vCxGxD4oqaYyZa3FzOrjWSDlBwhynd+OCq2PvIw7wLIYxq7UuZ77W3QL6/LRRzrs
certif: X17yf8Ux8feNJwKke/L3mq6QBZ9wzoadK+XjTQYWQCbj6WlH9QEYpmFS/XCz5kfQ
certif: sUI9iChbKvcWOFFPID+XMbzKMgbSvP6aBzOhbUz3b9Tn4qfn9Yp2YWpPci7RrvlK
certif: lECvj7YuYAysqbZKiulSN6N3OKHd
certif: -----END CERTIFICATE-----
mnt-by: SHRYANE-MNT
source: RIPE

The generated primary key is returned in the response.

Add Authentication Method to Maintainer ​

From the previous step, the created key-cert object has a generated primary key "X509-3571".

Now add the authentication method to the maintainer with an additional "auth:" attribute with a value "X509-3571", so the certificate can be used to authenticate updates as that maintainer.

Lookup An Object ​

Now update an object using the certificate to authenticate.

First lookup a PERSON object ES7554-RIPE as JSON and save to file.json. You must use the unfiltered query parameter to request the full object including attributes that may contain personal data.

$ curl -o file.json https://rest.db.ripe.net/ripe/person/ES7554-RIPE.json?unfiltered

You can also authenticate a MNTNER lookup with a client certificate, which will return the mntner including full auth: attribute values. Be sure to also include the unfiltered query parameter to return attributes that may contain personal data.

$ curl -o file.json --key client-key.pem --cert client-cert.pem https://rest-cert.db.ripe.net/ripe/person/ES7554-RIPE.json?unfiltered

Update An Object ​

Next modify the remarks: attribute value in file.json and submit an update, authenticating with the client certificate.

$ curl -v --header "Content-type: application/json" -d @file.json -X PUT --key client-key.pem --cert client-cert.pem https://rest-cert.db.ripe.net/ripe/person/ES7554-RIPE.json

The PERSON object has been updated successfully.

Last updated:

Pager
Previous pageAppendix H PGP Authentication Method
Next pageAppendix J Ripe Test Database