Reply to comment:

What I have experienced is that even tech savvy folks have issues getting pki correct. It would be helpful if you gave the entire chain of events and commands (eg: OpenSSL arguments etc) to demonstrate how "simple" it is, along with the configlet from junos showing how to take your static aggregate hold-down routes and tie those to your ROA.