Info! Please note that this translation has been provided at best effort, for your convenience. The English page remains the official version.

How to enrol BPKI certificate?

Requirements

  • Download and install the latest version of OpenSSL on your pc/laptop. It works on Linux, macOS and Windows. 
  • Copy of AFRINIC's member certificate authority. This should be downloaded from http://ftp.afrinic.net/bpki/memberca.pem.txt 
  • Credentials to the registration authority enrolment page.
    The username is nic-handle and the password is sent on email once the BPKI request is approved on MyAFRINIC portal. To request a password reset, get in touch with This email address is being protected from spambots. You need JavaScript enabled to view it.

    With the above requirements in place, proceed with steps below to create a BPKI certificate.
  1. Create a certificate signing request (CSR)


    It is recommended to create a new folder and execute OpenSSL commands from that path, the generated and downloaded files will reside here. You may need administrative access to run some of these commands depending on the privileges on the pc/laptop 

    openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout privateKey.key

    Sample Output

    Country Name (2 letter code) []:MU
    State or Province Name (full name) []:Ebene
    Locality Name (eg, city) []:Cybercity
    Organization Name (eg, company) []:AFRINIC Ltd
    Organizational Unit Name (eg, section) []:Member Services
    Common Name (eg, fully qualified hostname) []: NICHDL-AFRINIC
    Email Address []: This email address is being protected from spambots. You need JavaScript enabled to view it.

    Leave the challenge password [] as BLANK

    The MANDATORY fields are 
    Common Name - nic-handle 
    Email - email address 
    Output
    CSR.csr
    privateKey.key
    memberca.pem.txt  - Download from http://ftp.afrinic.net/bpki/memberca.pem.txt 


  2. Enrol generated CSR to the registration authority (RA)


    Go to the registration authority (RA) enrolment page

    https://externalra.afrinic.net/externalra-gui/facelet/enroll-csrcert.xhtml

    username:  NICHNL-AFRINIC
    password: sent on email after BPKI approval 
    Certificate Request: Choose CSR generated from the file above
    Response type: select PEM. Click on Send Certificate Request

    Output - pem file, save this to the same folder as Step 1 
    NICHNL-AFRINIC.pem 


  3. Generate a p12 file to be installed in the browser. The files on Step 1 and Step 2 will be used for this.


    openssl pkcs12 -export -out NICHNL-AFRINIC.p12 -inkey privateKey.key -in NICHNL-AFRINIC.pem -certfile memberca.pem.txt

    Password: sent on email 

    Output - p12 file 
    NICHNL-AFRINIC.p12


  4. Install the p12 in your browser. AFRINIC recommends either Chrome or Firefox browser. Use the same password as Step 3. 


    Firefox

    Advanced  > Certificates > View Certificates > Import then import the p12

    Chrome

    On the chrome://settings page scroll down to ‘Advanced’
    Under ‘Privacy and Security’ click ‘Manage Certificates’ and Import the p12

    Restart the browser

    Test access by logging in to MyAFRINIC and accessing the RPKI resources page 

    https://my.afrinic.net/resources/rpki/

    NOTE

    The certificate import varies depending on the operating system but install should be straight forward. 

    There are reported cases where the page could not be accessed because antivirus was blocking access to the installed certificate. The workaround is to add a whitelist of MyAFRINIC portal on the antivirus web protection. 




on Friday May 31 by duksh
Was this helpful?