Outage in RIPE NCC
Issues with delegated CAs
Resolved MinorIncident Report
We are currently investigating an issue that prevents delegated CAs from communicating with the RIPE NCC parent CA.
This issue does not affect the validity of delegated CAs that already have a current certificate. Publication by delegated CAs is also unaffected.
The BPKI TA certificate used in the RFC 8183 XML setup messages for delegated CAs, and the CRL included in RFC 6492 provisioning protocol messages signed by the RIPE NCC CA have expired.
The impact is as follows:
Delegated CAs cannot be configured at the moment
Existing delegated CAs may see the following error message: "RFC 6492 Issue: CMS is not valid: CRL nextUpdate time in the past"
Existing delegated CAs cannot request certificates for updated resources
Existing delegated CAs cannot perform an RPKI key rollover
As far as we understand, Krill verifies the validity period of the BPKI TA certificate during setup only, and then continues to trust the public key until it is told otherwise. Because of this we expect that the issues experienced by existing Krill CAs will be resolved when our system starts using updated CRLs in the RFC 6492 messages.
We are working on a fix. Because the fix is non-trivial we expect that this issue may persist for the next 12 to 24 hours.
We will provide a further update tomorrow morning.
Trusted by 1,000+ teams
Never miss outages in third-party dependencies
Stop finding out about outages from your users. Monitor 6,320+ cloud services and get alerted the second something breaks.
Latest Updates ( sorted recent to last )
RESOLVED
4 days ago - at 05/05/2026 11:07AM
This incident has been resolved.
IDENTIFIED
5 days ago - at 05/04/2026 07:03PM
We are currently investigating an issue that prevents delegated CAs from communicating with the RIPE NCC parent CA.
This issue does not affect the validity of delegated CAs that already have a current certificate. Publication by delegated CAs is also unaffected.
The BPKI TA certificate used in the RFC 8183 XML setup messages for delegated CAs, and the CRL included in RFC 6492 provisioning protocol messages signed by the RIPE NCC CA have expired.
The impact is as follows:
Delegated CAs cannot be configured at the moment
Existing delegated CAs may see the following error message: "RFC 6492 Issue: CMS is not valid: CRL nextUpdate time in the past"
Existing delegated CAs cannot request certificates for updated resources
Existing delegated CAs cannot perform an RPKI key rollover
As far as we understand, Krill verifies the validity period of the BPKI TA certificate during setup only, and then continues to trust the public key until it is told otherwise. Because of this we expect that the issues experienced by existing Krill CAs will be resolved when our system starts using updated CRLs in the RFC 6492 messages.
We are working on a fix. Because the fix is non-trivial we expect that this issue may persist for the next 12 to 24 hours.
We will provide a further update tomorrow morning.
Latest RIPE NCC outages
rpki-validator.ripe.net unavailable - 17 days ago
Issues with AFAS Software - 24 days ago
Never miss outages in third-party dependencies
With IsDown, you can monitor all your critical services' official status pages from one centralized dashboard and receive instant alerts the moment an outage is detected. Say goodbye to constantly checking multiple sites for updates and stay ahead of outages with IsDown.
Start free trialNo credit card required · Cancel anytime · 6320 services available
Integrations with
