Your IP address is 54.87.136.120

BPKI Enrolment Process

 

5. Enroll your BPKI certificate

5.0 select_enrolment_csr

 

To enroll your BPKI certificate you will have to connect to the External RA(Registration Authority) service. This service allows you to generate BPKI either by:

  • Creating a browser certificate (Generate a keypair in the browser and get a certificate for this keypair directly from the browser)

 

IMPORTANT
Currently the only supported browser for key generation is Firefox. For any other browser please refer to step 5.2 (the manual process).

 

  • Creating a certificate from a CSR (Create certificate from a Certificate Signing Request in PKCS#10 format)

 

5.1) Create a browser certificate (automatic process)

4 enrolment_browser

 

You need to input the credentials you received in the invitation email. Then click on "Send Certificate Request" to retrieve your certificate. You will see a message saying "Key generation process may take some time…", after that your certificate will be installed in your browser.

4.1 certificate_installed

 

5.2) Create a certificate from a CSR (manual process)

Some browsers do not support key generation and therefore you will have to carry out the key generation process yourself. To be able to generate a key pair, you need to have OPENSSL installed. *nix platforms are usually bundled with OPENSSL, for Windows please visit click here

Instructions:

  • Generate a new private key and Certificate Signing Request
openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout privateKey.key 

Please fill out the information requested for the CSR.

 

IMPORTANT

1) The Common Name (e.g. server FQDN or YOUR name) should be <NIC-HANDLE> (i.e the username received in the invitation email)

2) You have just generated a private key for your BPKI certificate. Please keep it safely and back it up. In case the key is compromised, please send an email immediately to This e-mail address is being protected from spambots. You need JavaScript enabled to view it , we shall revoke your certificate.

3) You should leave the challenge password blank otherwise the system will ask for the challenge password everytime the certificate is used.

 

5.1 enrolment_csr

 

Make sure you select "PEM" and click on "Send Certificate Request". A certificate in pem format will be downloaded. Save it to the same folder as the CSR and private key generated under the name <NIC-HANDLE>.pem.

Convert the PEM certificate into a PKCS#12 format (p12). To be able to do this, you will need to have the CA certificate of the client certificate. Copy and save the memberca certificate as "memberca.pem" under the same folder as above. And execute the following command:

openssl pkcs12 -export -out <NIC-HANDLE>.p12 -inkey privateKey.key -in <NIC-HANDLE>.pem -certfile memberca.pem

Output: your certificate in p12 format <NIC-HANDLE>.p12

 

  • Now you need to import the certificate in your keychain or browser certificate keystore. To import a certificate in your browser:
      • For Firefox:
        • Linux: open Edit -> Preferences -> Advanced -> Encryption -> View Certificates
          Windows: open Tools -> Options -> Advanced -> Certificates -> Manage Certificates
          MAC: open Firefox -> Preferences -> Advanced -> Encryption->View Certificates
        • click import and enter the filename (mycert.p12 or mycert.pfx on a MAC)
      • For Chrome:
        • Go to preferences
        • Select "Show advanced settings" and under HTTPS/SSL click "manage certificate".
        • Import the certificate into your login keychain.
      • For MAC Safari open a Terminal
'open' mycert.pfx

Open recognizes either the .pfx or .p12 extension and will open the keychain so you can import the certificate.

Import the certificate into your login keychain.

 

IMPORTANT
Even though you can import you certificate to a series of different browsers, the only currently supported browsers to access BPKI-restricted sections of MyAFRINIC are Chrome and Firefox.

 

Bravo! You now have a BPKI certificate installed in your browser and you can now securely authenticate yourself to MyAFRINIC.

 

(Page 5 of 5)