Dear working group, There has been an issue with our RPKI delegated CA service. The identity certificate and CRL used in the (RFC 6492) synchronisation channel between delegated CAs and the RIPE NCC parent CA expired at 8:37 UTC on 4 May 2026. As a result, delegated CAs would reject responses from our parent system, showing an error like “RFC 6492 Issue: CMS is not valid: CRL nextUpdate time in the past”. This disruption of the synchronisation between delegated CAs and our system had the following impact: - New delegated CAs could not be set up - Existing delegated CAs could not perform a key rollover - Existing delegated CAs could not list their resources - Existing delegated CAs could not request updated certificates This issue did not affect the validity of existing delegated CAs. Publication by delegated CAs was also unaffected. There was a low risk that outbound resource transfers or returns for delegated CAs could result in those CAs issuing overclaiming ROAs while their CA software was unable to synchronise with the RIPE NCC system. Because of this, we decided to put transfers and returns temporarily on hold for a few hours on 5 May 2026 while we worked on a fix. This issue was confirmed to be resolved at 10:48 UTC on 5 May 2026, after which transfers and returns were resumed. We apologise for any inconvenience this may have caused. Kind regards Tim Bruijnzeels Principal Engineer RPKI RIPE NCC