Filters

X509 Authentication supporting document

Introduction

You can use X.509 authentication with all the methods of sending updates to the Whois Database. Whichever method you use you will need to have a certificate and private key. If you already have a certificate issued by another Certificate Authority you can use that. If not and you are an LIR you can create one with RIPE NCC as AfriNIC do not run CA yet. Otherwise you will have to generate a self signed certificate for yourself. AfriNIC implementation of X.509 for signing updates to the Whois Database is not concerned with the trust path of a certificate. The certificate is only used to store the public key in a key-cert object to match your private key. No account is taken of certificate revocation lists. This is why a self-signed certificate will work well for the purposes of signing database updates.

If you wish to send your updates from a mail client that supports S/MIME, you can import your certificate into the mail client and use it to sign the update messages. If your preferred mail client does not support S/MIME, you can sign messages from the command line using OpenSSL and cut and paste the signed message into the mail client's compose window. As AfriNIC Database is based on RIPE NCC database, they have carried out tests on some mail clients for S/MIME compliance. The results of these tests can be found in the document E-mail Client Testing for S/MIME Compliance .

Set up your mail client

First you need to generate a certificate.

Once the certificate has been generated, select an option to export or backup the certificate and private key from your browser. Some guidelines for this are given in RIPE NCC Documentation Appendix A1.2.

Import the backed up certificate and private key into your e-mail client.

Set up the database

You are now ready to sign messages from your mail client. The next step is to set up the AfriNIC Database end. For this you need to create a new X509 key-cert object and set the authorisation in the mntner object to use X509.

Creating the key-cert object

You need to create a key-cert object according to the following template:

key-cert: [mandatory] [single] [primary/look-up key]
method: [generated] [single] [ ]
owner: [generated] [multiple] [ ]
fingerpr: [generated] [single] [inverse key]
certif: [mandatory] [multiple] [ ]
remarks: [optional] [multiple] [ ]
notify: [optional] [multiple] [inverse key]
admin-c: [optional] [multiple] [inverse key]
tech-c: [optional] [multiple] [inverse key]
mnt-by: [mandatory] [multiple] [inverse key]
changed: [mandatory] [multiple] [ ]
source: [mandatory] [single] [ ]

You will need to use OpenSSL to convert the certificate into an ascii text format. The backup file exported from your browser containing your certificate and private key is in binary format and the file extension should be .p12. Use OpenSSL to convert this binary file into an ascii file which will have the file extension .pem.

The command to do this is:

openssl pkcs12 -clcerts ascii.pem 

Now open the ascii.pem file in a text editor. Remove everything from the file except for the certificate. This is contained within the lines:

-----BEGIN CERTIFICATE----- 
......
-----END CERTIFICATE-----

You must also keep these BEGIN and END lines. This will now form the certificate data for your key-cert object. Add to the start of each of these lines the attribute name "certif:"

For example:

certif: -----BEGIN CERTIFICATE-----
certif: MIID8zCCA1ygAwIBAgICAIIwDQYJKoZIhvcNAQEEBQAwcTELMAkGA1UEBhMCRVUx
certif: EDAOBgNVBAgTB0hvbGxhbmQxEDAOBgNVBAoTB25jY0RFTU8xHTAbBgNVBAMTFFNv
certif: ZnR3YXJlIFBLSSBUZXN0aW5nMR8wHQYJKoZIhvcNAQkBFhBzb2Z0aWVzQHJpcGUu
certif: bmV0MB4XDTAzMDkwODEwMjYxMloXDTA0MDkwNzEwMjYxMlowfTELMAkGA1UEBhMC
certif: TkwxETAPBgNVBAoTCFJJUEUgTkNDMRAwDgYDVQQLEwdNZW1iZXJzMRgwFgYDVQQD
certif: Ew91ay5idC50ZXN0LXVzZXIxLzAtBgkqhkiG9w0BCQEWIHRlc3QtdXNlckBsaW51
certif: eC50ZXN0bGFiLnJpcGUubmV0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
certif: AQEArv3srxyl1QA3uS4dxdZbSsGrfBrMRjMb81Gnx0nqa6i+RziIf13lszB/EYy0
certif: PgLpQFdGLdhUQ52YsiGOUmMtnaWNHnEJrBUc8/fdnA6GVdfF8AEw1PTfJ6t2Cdc9
certif: 2SwaF+5kCaUDwmlOgbM333IQmU03l3I1ILs32RpQyZ+df/ovHNrVzeLc2P59isac
certif: bfjM2S0SXPQzHjuVLH40eOgVuXA/5LAYs51eXqwtKszSxFhqekf+BAEcRDrXmIT4
certif: e3zfiZOsXKe0UfaEABgHUMrYjsUCJ8NTMg6XiVSNwQQmXCdUbRvK7zOCe2iCX15y
certif: 9hNXxhY/q/IW54W5it7jGXq/7wIDAQABo4IBCDCCAQQwCQYDVR0TBAIwADARBglg
certif: hkgBhvhCAQEEBAMCBaAwCwYDVR0PBAQDAgXgMBoGCWCGSAGG+EIBDQQNFgtSSVBF
certif: IE5DQyBDQTAdBgNVHQ4EFgQUzdajNaRorkDTAW5O6Hpa3z9pP3AwgZsGA1UdIwSB
certif: kzCBkIAUHpLUfvaBVfxXVCcT0kh9NJeH7ouhdaRzMHExCzAJBgNVBAYTAkVVMRAw
certif: DgYDVQQIEwdIb2xsYW5kMRAwDgYDVQQKEwduY2NERU1PMR0wGwYDVQQDExRTb2Z0
certif: d2FyZSBQS0kgVGVzdGluZzEfMB0GCSqGSIb3DQEJARYQc29mdGllc0ByaXBlLm5l
certif: dIIBADANBgkqhkiG9w0BAQQFAAOBgQByg8L8RaiIz5k7n5jVwM/0oHSf48KRMBdn
certif: YdN2+eoEjVQbz48NtjbBTsOiUYj5AQWRHJrKtDQ+odbog0x7UsvhXjjBo/abJ6vI
certif: AupjnxP3KpSe73zmBUiMU8mvXLibPP1xuI2FPM70Y7fgeUehbmT7wdgqs7TEtYww
certif: PeUqjPPTZg==
certif: -----END CERTIFICATE-----

The "method:", "owner:" and "fingerpr:" attributes will be automatically generated by the database update program so these can be ignored at this stage. The only attribute required before the "certif:" data is the "key-cert:". The name value of this attribute is auto generated so add this line at the start of the file:

key-cert: AUTO-1 

This name is only used as a tag in maintainer "auth:" attributes, therefore it was decided not to allow any choice in the name. The generated name will be of the type X509-nnn where nnn is the next available integer number. These numbers will not be re-used. Once a key-cert object is deleted, it is not possible to re-create one with the same name.

The remainder of the key-cert object after the "certif:" attributes looks something like this:

remarks: Sample Key Certificate
notify: you@your_domain.net
mnt-by: YOUR-MNT
changed: you@your_domain.net 20040101
source: AFRINIC

This gives a final key-cert object looking like this:

key-cert: AUTO-1
certif: -----BEGIN CERTIFICATE-----
certif: MIID8zCCA1ygAwIBAgICAIIwDQYJKoZIhvcNAQEEBQAwcTELMAkGA1UEBhMCRVUx
certif: EDAOBgNVBAgTB0hvbGxhbmQxEDAOBgNVBAoTB25jY0RFTU8xHTAbBgNVBAMTFFNv
certif: ZnR3YXJlIFBLSSBUZXN0aW5nMR8wHQYJKoZIhvcNAQkBFhBzb2Z0aWVzQHJpcGUu
certif: bmV0MB4XDTAzMDkwODEwMjYxMloXDTA0MDkwNzEwMjYxMlowfTELMAkGA1UEBhMC
certif: TkwxETAPBgNVBAoTCFJJUEUgTkNDMRAwDgYDVQQLEwdNZW1iZXJzMRgwFgYDVQQD
certif: Ew91ay5idC50ZXN0LXVzZXIxLzAtBgkqhkiG9w0BCQEWIHRlc3QtdXNlckBsaW51
certif: eC50ZXN0bGFiLnJpcGUubmV0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
certif: AQEArv3srxyl1QA3uS4dxdZbSsGrfBrMRjMb81Gnx0nqa6i+RziIf13lszB/EYy0
certif: PgLpQFdGLdhUQ52YsiGOUmMtnaWNHnEJrBUc8/fdnA6GVdfF8AEw1PTfJ6t2Cdc9
certif: 2SwaF+5kCaUDwmlOgbM333IQmU03l3I1ILs32RpQyZ+df/ovHNrVzeLc2P59isac
certif: bfjM2S0SXPQzHjuVLH40eOgVuXA/5LAYs51eXqwtKszSxFhqekf+BAEcRDrXmIT4
certif: e3zfiZOsXKe0UfaEABgHUMrYjsUCJ8NTMg6XiVSNwQQmXCdUbRvK7zOCe2iCX15y
certif: 9hNXxhY/q/IW54W5it7jGXq/7wIDAQABo4IBCDCCAQQwCQYDVR0TBAIwADARBglg
certif: hkgBhvhCAQEEBAMCBaAwCwYDVR0PBAQDAgXgMBoGCWCGSAGG+EIBDQQNFgtSSVBF
certif: IE5DQyBDQTAdBgNVHQ4EFgQUzdajNaRorkDTAW5O6Hpa3z9pP3AwgZsGA1UdIwSB
certif: kzCBkIAUHpLUfvaBVfxXVCcT0kh9NJeH7ouhdaRzMHExCzAJBgNVBAYTAkVVMRAw
certif: DgYDVQQIEwdIb2xsYW5kMRAwDgYDVQQKEwduY2NERU1PMR0wGwYDVQQDExRTb2Z0
certif: d2FyZSBQS0kgVGVzdGluZzEfMB0GCSqGSIb3DQEJARYQc29mdGllc0ByaXBlLm5l
certif: dIIBADANBgkqhkiG9w0BAQQFAAOBgQByg8L8RaiIz5k7n5jVwM/0oHSf48KRMBdn
certif: YdN2+eoEjVQbz48NtjbBTsOiUYj5AQWRHJrKtDQ+odbog0x7UsvhXjjBo/abJ6vI
certif: AupjnxP3KpSe73zmBUiMU8mvXLibPP1xuI2FPM70Y7fgeUehbmT7wdgqs7TEtYww
certif: PeUqjPPTZg==
certif: -----END CERTIFICATE-----
remarks: Sample Key Certificate
notify: you@your_domain.net
mnt-by: YOUR-MNT
changed: you@your_domain.net 20050101
source: AFRINIC

This can now be submitted to the database update program by sending it in an e-mail to This e-mail address is being protected from spambots. You need JavaScript enabled to view it , or using syncupdates or webupdates methods.

The final object created in the database will look something like this:

key-cert: X509-23
method: X509
owner: /C=NL/O=AFRINIC/OU=Members/CN=tg.dodo.administrator
\ /Email=you@your_domain.net
fingerpr: AC:B5:B1:36:95:F3:46:93:B1:2D:58:EB:E1:46:DA:3F
certif: -----BEGIN CERTIFICATE-----
certif: MIID8zCCA1ygAwIBAgICAIIwDQYJKoZIhvcNAQEEBQAwcTELMAkGA1UEBhMCRVUx
certif: EDAOBgNVBAgTB0hvbGxhbmQxEDAOBgNVBAoTB25jY0RFTU8xHTAbBgNVBAMTFFNv
certif: ZnR3YXJlIFBLSSBUZXN0aW5nMR8wHQYJKoZIhvcNAQkBFhBzb2Z0aWVzQHJpcGUu
certif: bmV0MB4XDTAzMDkwODEwMjYxMloXDTA0MDkwNzEwMjYxMlowfTELMAkGA1UEBhMC
certif: TkwxETAPBgNVBAoTCFJJUEUgTkNDMRAwDgYDVQQLEwdNZW1iZXJzMRgwFgYDVQQD
certif: Ew91ay5idC50ZXN0LXVzZXIxLzAtBgkqhkiG9w0BCQEWIHRlc3QtdXNlckBsaW51
certif: eC50ZXN0bGFiLnJpcGUubmV0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
certif: AQEArv3srxyl1QA3uS4dxdZbSsGrfBrMRjMb81Gnx0nqa6i+RziIf13lszB/EYy0
certif: PgLpQFdGLdhUQ52YsiGOUmMtnaWNHnEJrBUc8/fdnA6GVdfF8AEw1PTfJ6t2Cdc9
certif: 2SwaF+5kCaUDwmlOgbM333IQmU03l3I1ILs32RpQyZ+df/ovHNrVzeLc2P59isac
certif: bfjM2S0SXPQzHjuVLH40eOgVuXA/5LAYs51eXqwtKszSxFhqekf+BAEcRDrXmIT4
certif: e3zfiZOsXKe0UfaEABgHUMrYjsUCJ8NTMg6XiVSNwQQmXCdUbRvK7zOCe2iCX15y
certif: 9hNXxhY/q/IW54W5it7jGXq/7wIDAQABo4IBCDCCAQQwCQYDVR0TBAIwADARBgl
certif: hkgBhvhCAQEEBAMCBaAwCwYDVR0PBAQDAgXgMBoGCWCGSAGG+EIBDQQNFgtSSVBF
certif: IE5DQyBDQTAdBgNVHQ4EFgQUzdajNaRorkDTAW5O6Hpa3z9pP3AwgZsGA1UdIwSB
certif: kzCBkIAUHpLUfvaBVfxXVCcT0kh9NJeH7ouhdaRzMHExCzAJBgNVBAYTAkVVMRAw
certif: DgYDVQQIEwdIb2xsYW5kMRAwDgYDVQQKEwduY2NERU1PMR0wGwYDVQQDExRTb2Z0
certif: d2FyZSBQS0kgVGVzdGluZzEfMB0GCSqGSIb3DQEJARYQc29mdGllc0ByaXBlLm5l
certif: dIIBADANBgkqhkiG9w0BAQQFAAOBgQByg8L8RaiIz5k7n5jVwM/0oHSf48KRMBdn
certif: YdN2+eoEjVQbz48NtjbBTsOiUYj5AQWRHJrKtDQ+odbog0x7UsvhXjjBo/abJ6vI
certif: AupjnxP3KpSe73zmBUiMU8mvXLibPP1xuI2FPM70Y7fgeUehbmT7wdgqs7TEtYww
certif: PeUqjPPTZg==
certif: -----END CERTIFICATE-----
remarks: Sample Key Certificate
notify: you@your_domain.net
mnt-by: YOUR-MNT
changed: you@your_domain.net 20040101
source: AFRINIC

Updating the maintainer

The final step in order to use X.509 is to set the authorisation of your mntner object to accept X.509. It is advisable in the first instance to keep the existing authorisation method of your maintainer and add the X.509 as an additional method. After you have tested its use successfully, you can then delete any
less secure authorisation methods such as passwords.

If your existing mntner object looks something like this:

mntner: YOUR-MNT
descr: company maintainer object
admin-c: TP1-AFRINIC
upd-to: you@your_domain.net
referral-by: RIPE-DBM-MNT
mnt-by: YOUR-MNT
auth: CRYPT-PW dbOnSHFpKZTBU
changed: you@your_domain.net 20050101
source: AFRINIC

Add an additional authorisation line for X509-23 and submit the object to the database update program in the usual way, supplying the required existing authorisation. In this example it will be the crypt-pw password:

mntner: YOUR-MNT
descr: company maintainer object
admin-c: TP1-AFRINIC
upd-to: you@your_domain.net
referral-by: RIPE-DBM-MNT
mnt-by: YOUR-MNT
auth: CRYPT-PW dbOnSHFpKZTBU
auth: X509-23
changed: you@your_domain.net 20050101
source: AFRINIC

Using the X.509 authorisation

Everything is now in place to use X.509 authorisation. You can compose a message in your mail client containing the update. Sign the message with your certificate and private key. You may need to check with the documentation for your specific mail client to see how to do this. Then send the e-mail to This e-mail address is being protected from spambots. You need JavaScript enabled to view it . Once you have submitted a successful update you can, if you wish, remove the weaker authentication method by removing the line in this example:

auth: CRYPT-PW dbOnSHFpKZTBU 

from your mntner object. Updates can now only be authorised by the stronger authentication method of X.509.