BPKI

A BPKI Certificate (also known as a client X.509 certificate) is a Digital certificate provided to identify the holder of such certificate while performing an online transaction. In the case of AFRINIC, the client certificate delivered will hold your NIC-HANDLE as Common Name (CN). AFRINIC BPKI certificate will be used to digitally certify Organisation members right to perform and access certain services online such as RPKI.

on 2018 Mar 10
Was this helpful?

The enrolment of your certificate is a process by which your Digital Certificate is integrated into your browser to be automatically used for authentication purpose. The process of this integration is not the same for all browsers. The process pre-defined in the engine we use at AFRINIC is only compatible with Firefox. We are working to extend this to as many browsers as possible. 

on 2018 Mar 10
Was this helpful?

You must be an authorised contact of your organisation to obtain a BPKI certificate. If you are an Administrative contact of a Member Organisation you should send a mail to This email address is being protected from spambots. You need JavaScript enabled to view it. with proofs of your identity.

If you are a technical, billing, abuse or general contact, you will be asked to request a BPKI certificate that has to be approved by the Administrative contact of your Organisation.

on 2018 Mar 10
Was this helpful?

Generally, you need to allow about 60 minutes between a validation of a certificate request and the reception of the related mail. If after 60 minutes you have not received the details, please:

  1. check your spam mailbox
  2. Verify that the e-mail address associated with the NIC-HANDLE is valid.

If all the above are all positive, please contact service-support at afrinic.net.

on 2018 Mar 10
Was this helpful?

1) Introduction

A BPKI certificate, also known as a client X.509 certificate, is used to identify a user or a client. They are meant for authenticating a client to a server. In the case of AFRINIC, the client certificate delivered will hold your NIC-HANDLE as Common Name (CN). You must be an authorised contact of your organisation to obtain a BPKI certificate. A BPKI certificate is needed to access Resource Certification (RPKI) services.

  

2) How to request a BPKI certificate

To request a BPKI certificate,  connect to https://my.afrinic.net and navigate to "My Account > BPKI".

2.1. Administrative contact

If you are an administrative contact, you will have to send us your identification information:

  1. Full name
  2. E-mail address
  3. NIC-HANDLE
  4. Organisation's name
  5. Scanned copy of an official Government/State-issue ID, passport, driver's license or company'ID card.

Please send the above details to  This email address is being protected from spambots. You need JavaScript enabled to view it. along with the required documents.

1 admin_cert_request

 

2.2. Non-administrative contact

If you are a technical, billing, abuse or general contact, you will be asked to request a BPKI certificate by clicking on the "Request BPKI certificate" button.

2 request_bpki_button

 

Your request will be sent to all the Administrative contacts of your organisation. You need to follow up with them to know the status of your request.

 

3) Accepting or rejecting a BPKI request (for admin contacts only)

An email is sent to all admin contacts of an organisation when a non-admin contact makes a BPKI request. Below is an example of an email sent to administrative contacts.

2.2 non-admin_cert_request_email

 

To accept a BPKI request made by non-admin contacts of the organisation, navigate to "My Account -> BPKI". The system will grant you access to this section only and only if you (as admin-contact ) already have a valid BPKI certificate. If not go back to step 2.1.

2.3 accept_reject_interface

 You can then accept or reject a BPKI request of somebody from your organisation.

 

4. Invitation to request your BPKI certificate

Once your BPKI request has been approved either by the Hostmaster (for admin contacts) or by your organisation's administrative contact, you will receive an email like the one below:

3 bpki_invitation_to_retrieve

 

5. Enrol your BPKI certificate

To enrol your BPKI certificate you will have to connect to the External RA(Registration Authority) service. 

 

Create a certificate from a CSR (manual process)

To be able to generate a key pair, you need to have OpenSSL installed. *nix platforms are usually bundled with OpenSSL, for Windows please visit click here

Instructions:

  • Generate a new private key and Certificate Signing Request
openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout privateKey.key

Please fill out the information requested for the CSR.

 

IMPORTANT

1) The Common Name (e.g. server FQDN or YOUR name) should be (i.e the username received in the invitation email)

2) You have just generated a private key for your BPKI certificate. Please keep it safe and back it up. In case the key is compromised, please send an email immediately to  This email address is being protected from spambots. You need JavaScript enabled to view it. , we shall revoke your certificate.

3) You should leave the challenge password blank otherwise the system will ask for the challenge password everytime the certificate is used.

5.1 enrolment csr

 

Make sure you select "PEM" and click on "Send Certificate Request". A certificate in pem format will be downloaded. Save it to the same folder as the CSR and private key generated under the name .pem.

Convert the PEM certificate into a PKCS#12 format (p12). To be able to do this, you will need to have the CA certificate of the client certificate. Copy and save the memberca certificate as "memberca.pem" under the same folder as above. And execute the following command:

 

openssl pkcs12 -export -out <NIC-HANDLE>.p12 -inkey privateKey.key -in <NIC-HANDLE>.pem -certfile memberca.pem


Output: your certificate in p12 format <NIC-HANDLE>.p12

 

  • Now you need to import the certificate in your keychain or browser certificate keystore. To import a certificate in your browser:
    • For Firefox:
      • Linux: open Edit -> Preferences -> Advanced -> Encryption -> View Certificates 
        Windows: open Tools -> Options -> Advanced -> Certificates -> Manage Certificates 
        MAC: open Firefox -> Preferences -> Advanced -> Encryption->View Certificates
      • click import and enter the filename (mycert.p12 or mycert.pfx on a MAC)
    • For Chrome:
      • Go to preferences
      • Select "Show advanced settings" and under HTTPS/SSL click "manage certificate".
      • Import the certificate into your login keychain.
    • For MAC Safari open a Terminal

 

'open' mycert.pfx

 

Open recognizes either the .pfx or .p12 extension and will open the keychain so you can import the certificate.

Import the certificate into your login keychain.

 

IMPORTANT 
Even though you can import your certificate to a series of different browsers, the only currently supported browsers to access BPKI-restricted sections of MyAFRINIC are Chrome and Firefox.

 

Bravo! You now have a BPKI certificate installed in your browser and you can now securely authenticate yourself to MyAFRINIC.

 

on 2018 Dec 14
Was this helpful?

No, AFRINIC BPKI certificate is attached to a username with access to https://my.afrinic.net and used to digitally certify the user’s rights to perform particular tasks and access certain services online such as RPKI.

The certificate cannot be used on a domain nor its respective sub-domains.

on 2019 May 31
Was this helpful?

While adding or editing ROA specifications, you can see the effect on the validity of your BGP announcements in the "View ROA’s" section. Ensure the following sections have valid dates and the ROA’s remain validity with status “NO” to indicate that it is not revoked.

bpki faq 5 2 

on 2019 May 31
Was this helpful?

RPKI is a certificate-based service that allows users to certify their Internet number resources to help secure Internet routing. It is a Public Key Infrastructure based service that enables IP address holders to specify which Autonomous Systems (ASes) are authorized to originate their IP address prefixes.

RPKI ensures that the BGP announcements coming from a router are validated to ensure that announcements are coming from the resource holder and that a route is a valid route. This is done through Route Object Authorisation (ROA). 

A ROA contains three informational elements:

  1. The AS Number that is authorised
  2. The prefix that may be originated from the AS
  3. The Maximum Length of the prefix

 

How to create ROAs on MyAFRINIC

  1. Create ROA by providing the following:
  2. Select Issue ROA’s
  3. Resource Certification
  4. Go to Resources
  5. Login to https://my.afrinic.net
  1. Enter a unique ROA name
  2. Select the originating ASN
  3. Select the IPv4 Prefix
    1. Click on the plus "+" icon for the ROA creation text fields
    2. Enter your preferred Max Length (The most specific prefixes that may be originated from the AS)
  4. Select the IPv6 Prefix where applicable
    1. Click on on the plus "+" icon for the ROA creation text fields
    2. Enter your preferred Max Length (The most specific IPv6 prefixes that may be originated from the AS)
  5. Select the ROA validity start date
  6. Select the ROA expiry date 
    bpki faq 5 1
  1. Click “add ROA”

 

on 2019 May 31
Was this helpful?

BPKI Certificates are valid for 2 years and when it expires, the ROAs will not be visible from MyAFRINIC.

In case your BPKI certificate has expired, kindly refer to the following FAQs:

 

on 2019 May 31
Was this helpful?
Note AFRINIC recommends CSR generations on either Firefox or Chrome as the browser.

1) It is highly advised to create a new folder in the path you are currently working where all the generated and downloaded files will be stored.
For the successful creation of the .p12 file in step 6, you need to ensure that the folder holds the following before executing the command:

 

PrivateKey.Key

Memberca.pem.txt

NICHDL-AFRINIC.p12

NICHDL-AFRINIC.p12,

Where the NICHDL will be your own NIC-HANDLE.

 

Having all the listed files in one folder will facilitate the enrollment process. 

2) Generate a new private key and Certificate Signing Request. You require OpenSSL to do this.

 

On Linux/Mac:

Using command line on your terminal, download and install OpenSSL “yum install openssl”. You may need root access in order to install the toolkit.

openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout privateKey.key

 

On Windows:

Download this OpenSSL package (https://gnuwin32.sourceforge.net/packages/openssl.htm) and install as follows:

 openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout privateKey.key

 

  1. Go to the enrolment page https://externalra.afrinic.net/externalra-gui/facelet/enroll-csrcert.xhtml.  
    bpki faq 3 1

 

 

  1. Enter your credentials.
  2. On choose file, use the generated .csr file from step 1 above.
  3. Select the PEM option and click on Send Certificate Request; Download and save the PEM file.
  4. The next step is to generate a .p12 file to install in your browser.
  5. The next step is to generate a .p12 file to install in your browser.
  6. First, download CA certificate here > https://v2.afrinic.net/images/bpki/memberca.pem.txt
  7. Next, use OpenSSL to create the p12 file:
    openssl pkcs12 -export -out <NIC-HANDLE>.p12 -inkey privateKey.key -in <NIC-HANDLE>.pem -certfile memberca.pem.txt 
    Note: The <NIC-HANDLE.pem> should be the file name downloaded from step 5 and NIC-HANDLE should be replaced by your own NIC-HANDLE.
  8. Install the p12 on your browser. - On Firefox: Go to Privacy and Security > View Certificates >Import certificate and insert the password which was used to encrypt the certificate.

 

Certificate Manager

bpki faq 3 2png

 

bpki faq 3 3

 

 

 

 

 

 

on 2019 May 31
Was this helpful?
  1. Log on to https://my.afrinic.net 
  2. navigate to "My Account > BPKI".
  3. Click on below button

bpki faq 2 2 2

 

 

The non-admin contact shall receive an email with the credentials approximately 30 minutes after the admin contact has approved.

Once the credentials received, non-admin contact can enrol BPKI certificate as instructed here

on 2019 May 31
Was this helpful?

If you are a technical, billing, abuse or general contact, you will be asked to request a BPKI certificate by clicking on the "Request BPKI certificate" button.

bpki faq 2 2 1

Your request will be sent to all the Administrative contacts of your organisation. Only if the admin contact already has a valid BPKI certificate, the system will grant him access to accept the BPKI request made by non-admin contacts of the organisation. If this is not the case, ask the admin contact to proceed as instructed here.

 

on 2019 May 31
Was this helpful?

BPKI certificate is used to digitally certify the user’s rights to perform and access certain services online such as RPKI. 

on 2019 Jul 22
Was this helpful?

There is no fee to be paid to obtain a BPKI certificate but only registered contacts of your organisation(AFRINIC resource member) can request for it.

on 2019 Jul 22
Was this helpful?

Even if you are managing multiple organisations, you will need only one BPKI certificate. Once installed in your browser, you may switch between the organisations and manage the ROAs.

on 2019 Jul 22
Was this helpful?

whois -h whois.bgpmon.net 196.1.0.24

% This is the BGPmon.net whois Service

% You can use this whois gateway to retrieve information

% about an IP adress or prefix

% We support both IPv4 and IPv6 address.

%

% For more information visit:

% https://portal.bgpmon.net/bgpmonapi.php

 

Prefix: 196.1.0.0/24

Prefix description:

Country code:MU

Origin AS: 37708

Origin AS Name: AFRINIC-MAIN, MU

RPKI status: ROA validation successful

First seen: 2015-02-24

Last seen: 2019-06-15

Seen by #peers:82

 

 

on 2019 Jul 22
Was this helpful?

I've successfully generated and installed my BPKI certificate in my browser however when trying to create ROAs, I still see the verification page below:

roa verification page

 

Restart your browser or computer. If the issue still persist, send an email to service-support at afrinic.net

 

 

on 2019 Jul 22
Was this helpful?
Date and time in Mauritius -