A BPKI Certificate (also known as a client X.509 certificate) is a Digital certificate provided to identify the holder of such certificate while performing online transaction. In case of AFRINIC, the client certificate delivered will hold your NIC-HANDLE as Common Name (CN). AFRINIC BPKI certificate will be used to digitally certify Organisation members right to perform and access certain services online such as RPKI and Board Election.
The enrolment of your certificate is a process by which your Digital Certificate is integrated into your browser to be automatically used for authentication purpose. The process of this integration is not the same for all browsers. The process pre-defined in the engine we use at AFRINIC is only compatible with Firefox. We are working to extend this to as many browsers as possible.
If you do not see the link to the vote, this means that you have already been issued with a Proxy for the vote. In such case, you cannot exercise your right of vote online anymore. You need to sign the Proxy document and give it to your representative for an onsite vote.
Generally you need to allow about 60 minutes between a validation of a certificate request and the reception of the related mail. If after 60 minutes you have not received the details, please:
A BPKI certificate, also known as a client X.509 certificate, is used to identify a user or a client. They are meant for authenticating a client to a server. In the case of AFRINIC, the client certificate delivered will hold your NIC-HANDLE as Common Name (CN). You must be an authorised contact of your organisation to obtain a BPKI certificate. A BPKI certificate is needed to access Resource Certification (RPKI) services.
To request a BPKI certificate, connect to https://my.afrinic.net and navigate to "My Account > BPKI".
If you are an administrative contact, you will have to send us your identification information:
If you are a technical, billing, abuse or general contact, you will be asked to request a BPKI certificate by clicking on the "Request BPKI certificate" button.
Your request will be sent to all the Administrative contacts of your organisation. You need to follow up with them to know the status of your request.
An email is sent to all admin contacts of an organisation when a non-admin contact makes a BPKI request. Below is an example of an email sent to administrative contacts.
To accept a BPKI request made by non-admin contacts of the organisation, navigate to "My Account -> BPKI". The system will grant you access to this section only and only if you (as admin-contact ) already have a valid BPKI certificate. If not go back to step 2.1.
You can then accept or reject a BPKI request of somebody from your organisation.
Once your BPKI request has been approved either by the Hostmaster (for admin contacts) or by your organisation's administrative contact, you will receive an email like the one below:
To enrol your BPKI certificate you will have to connect to the External RA(Registration Authority) service.
Create a certificate from a CSR (manual process)
To be able to generate a key pair, you need to have OpenSSL installed. *nix platforms are usually bundled with OpenSSL, for Windows please visit click here
openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout privateKey.key
Please fill out the information requested for the CSR.
1) The Common Name (e.g. server FQDN or YOUR name) should be (i.e the username received in the invitation email)
3) You should leave the challenge password blank otherwise the system will ask for the challenge password everytime the certificate is used.
Make sure you select "PEM" and click on "Send Certificate Request". A certificate in pem format will be downloaded. Save it to the same folder as the CSR and private key generated under the name .pem.
Convert the PEM certificate into a PKCS#12 format (p12). To be able to do this, you will need to have the CA certificate of the client certificate. Copy and save the memberca certificate as "memberca.pem" under the same folder as above. And execute the following command:
openssl pkcs12 -export -out <NIC-HANDLE>.p12 -inkey privateKey.key -in <NIC-HANDLE>.pem -certfile memberca.pem
Output: your certificate in p12 format <NIC-HANDLE>.p12
Open recognizes either the .pfx or .p12 extension and will open the keychain so you can import the certificate.
Import the certificate into your login keychain.
Even though you can import your certificate to a series of different browsers, the only currently supported browsers to access BPKI-restricted sections of MyAFRINIC are Chrome and Firefox.
Bravo! You now have a BPKI certificate installed in your browser and you can now securely authenticate yourself to MyAFRINIC.
No, AFRINIC BPKI certificate is attached to a username with access to my.afrinic.net and used to digitally certify the user’s rights to perform and access certain services online such as RPKI and AFRINIC Board members Election. The certificate cannot be used on a domain nor its respective sub-domains.
While adding or editing ROA specifications, you can see the effect on the validity of your BGP announcements in the "View ROA’s" section. Ensure the following sections have valid dates and the ROA’s remain validity with status “NO” to indicate that it is not revoked.
RPKI is a certificate-based service that allows users to certify their Internet number resources to help secure Internet routing. It is a Public Key Infrastructure based service that enables IP address holders to specify which Autonomous Systems (ASes) are authorized to originate their IP address prefixes.
RPKI ensures that the BGP announcements coming from a router are validated to ensure that announcements are coming from the resource holder and that a route is a valid route. This is done through Route Object Authorisation (ROA).
A ROA contains three informational elements:
BPKI Certificates are valid for 2 years and when it expires, the ROAs will not be visible from MyAFRINIC.
In case your BPKI certificate has expired, kindly refer to the following FAQs: