The RPKI software is something you need to run on a server somewhere. Not on the router itself.
First install
https://github.com/NLnetLabs/routinator on a server or VM somewhere. The server IP address would be 10.x.y.z in this example.
set routing-options validation group rpki-validator session 10.x.y.z port 3323 local-address 10.a.b.c
set policy-options community origin-validation-state-invalid members 0x4300:
0.0.0.0:2set policy-options community origin-validation-state-unknown members 0x4300:
0.0.0.0:1set policy-options community origin-validation-state-valid members 0x4300:
0.0.0.0:0set policy-options policy-statement RPKI-CHECK term valid from protocol bgp
set policy-options policy-statement RPKI-CHECK term valid from validation-database valid
set policy-options policy-statement RPKI-CHECK term valid then validation-state valid
set policy-options policy-statement RPKI-CHECK term valid then community add origin-validation-state-valid
set policy-options policy-statement RPKI-CHECK term invalid from protocol bgp
set policy-options policy-statement RPKI-CHECK term invalid from validation-database invalid
set policy-options policy-statement RPKI-CHECK term invalid then validation-state invalid
set policy-options policy-statement RPKI-CHECK term invalid then community add origin-validation-state-invalid
set policy-options policy-statement RPKI-CHECK term unknown from protocol bgp
set policy-options policy-statement RPKI-CHECK term unknown from validation-database unknown
set policy-options policy-statement RPKI-CHECK term unknown then validation-state unknown
set policy-options policy-statement RPKI-CHECK term unknown then community add origin-validation-state-unknown
set policy-options policy-statement REJECT-RPKI-INVALID term RPKI-CHECK from policy RPKI-CHECK
set policy-options policy-statement REJECT-RPKI-INVALID term RPKI-INVALID from community origin-validation-state-invalid
set policy-options policy-statement REJECT-RPKI-INVALID term RPKI-INVALID then reject
set routing-instances internet protocols bgp group nlix import REJECT-RPKI-INVALID
set routing-instances internet protocols bgp group cogent import REJECT-RPKI-INVALID
And just like that we had RPKI invalid filtering on the NLIX routing server and Cogent IP transit sessions. Since all of that is redundant, I took that opportunity to sanity check that we still had the expected amount of routes installed from these sources sans the invalids.
Attribution I did not invent most of the above. It is from the free book Day One Deploying BGP routing security from Juniper.