How can we help you?
BPKI
A BPKI Certificate (also known as a client X.509 certificate) is a Digital certificate provided to identify the holder of such certificate while performing an online transaction. In the case of AFRINIC, the client certificate delivered will hold your NIC-HANDLE as Common Name (CN). AFRINIC BPKI certificate will be used to digitally certify Organisation members right to perform and access certain services online such as RPKI.
The enrolment of your certificate is a process by which your Digital Certificate is integrated into your browser to be automatically used for authentication purpose. The process of this integration is not the same for all browsers. The process pre-defined in the engine we use at AFRINIC is only compatible with Firefox. We are working to extend this to as many browsers as possible.
You must be an authorised contact of your organisation to obtain a BPKI certificate. If you are an Administrative contact of a Member Organisation you should send a mail to This email address is being protected from spambots. You need JavaScript enabled to view it. with proofs of your identity.
If you are a technical, billing, abuse or general contact, you will be asked to request a BPKI certificate that has to be approved by the Administrative contact of your Organisation.
Generally, you need to allow about 60 minutes between a validation of a certificate request and the reception of the related mail. If after 60 minutes you have not received the details, please:
- check your spam mailbox
- Verify that the e-mail address associated with the NIC-HANDLE is valid.
If all the above are all positive, please contact service-support at afrinic.net.
1) Introduction
A BPKI certificate, also known as a client X.509 certificate, is used to identify a user or a client. They are meant for authenticating a client to a server. In the case of AFRINIC, the client certificate delivered will hold your NIC-HANDLE as Common Name (CN). You must be an authorised contact of your organisation to obtain a BPKI certificate. A BPKI certificate is needed to access Resource Certification (RPKI) services.
2) How to request a BPKI certificate
To request a BPKI certificate, connect to https://my.afrinic.net and navigate to "My Account > BPKI".
2.1. Administrative contact
If you are an administrative contact, you will have to send us your identification information:
- Full name
- E-mail address
- NIC-HANDLE
- Organisation's name
- Scanned copy of an official Government/State-issue ID, passport, driver's license or company'ID card.
Please send the above details to This email address is being protected from spambots. You need JavaScript enabled to view it. along with the required documents.
2.2. Non-administrative contact
If you are a technical, billing, abuse or general contact, you will be asked to request a BPKI certificate by clicking on the "Request BPKI certificate" button.
Your request will be sent to all the Administrative contacts of your organisation. You need to follow up with them to know the status of your request.
3) Accepting or rejecting a BPKI request (for admin contacts only)
An email is sent to all admin contacts of an organisation when a non-admin contact makes a BPKI request. Below is an example of an email sent to administrative contacts.
To accept a BPKI request made by non-admin contacts of the organisation, navigate to "My Account -> BPKI". The system will grant you access to this section only and only if you (as admin-contact ) already have a valid BPKI certificate. If not go back to step 2.1.
You can then accept or reject a BPKI request of somebody from your organisation.
4. Invitation to request your BPKI certificate
Once your BPKI request has been approved either by the Hostmaster (for admin contacts) or by your organisation's administrative contact, you will receive an email like the one below:
5. Enrol your BPKI certificate
To enrol your BPKI certificate you will have to connect to the External RA(Registration Authority) service.
Create a certificate from a CSR (manual process)
To be able to generate a key pair, you need to have OpenSSL installed. *nix platforms are usually bundled with OpenSSL, for Windows please visit click here
Instructions:
- Generate a new private key and Certificate Signing Request
openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout privateKey.key
Please fill out the information requested for the CSR.
IMPORTANT
1) The Common Name (e.g. server FQDN or YOUR name) should be (i.e the username received in the invitation email)
2) You have just generated a private key for your BPKI certificate. Please keep it safe and back it up. In case the key is compromised, please send an email immediately to This email address is being protected from spambots. You need JavaScript enabled to view it. , we shall revoke your certificate.
3) You should leave the challenge password blank otherwise the system will ask for the challenge password everytime the certificate is used.
- Next, navigate to https://externalra.afrinic.net/externalra-gui/facelet/enroll-csrcert.xhtml and input the credentials received in your invitation email and click "browse" to select the CSR freshly generated.
Make sure you select "PEM" and click on "Send Certificate Request". A certificate in pem format will be downloaded. Save it to the same folder as the CSR and private key generated under the name .pem.
Convert the PEM certificate into a PKCS#12 format (p12). To be able to do this, you will need to have the CA certificate of the client certificate. Copy and save the memberca certificate as "memberca.pem" under the same folder as above. And execute the following command:
openssl pkcs12 -export -out <NIC-HANDLE>.p12 -inkey privateKey.key -in <NIC-HANDLE>.pem -certfile memberca.pem
Output: your certificate in p12 format <NIC-HANDLE>.p12
- Now you need to import the certificate in your keychain or browser certificate keystore. To import a certificate in your browser:
- For Firefox:
- Linux: open Edit -> Preferences -> Advanced -> Encryption -> View Certificates
Windows: open Tools -> Options -> Advanced -> Certificates -> Manage Certificates
MAC: open Firefox -> Preferences -> Advanced -> Encryption->View Certificates - click import and enter the filename (mycert.p12 or mycert.pfx on a MAC)
- Linux: open Edit -> Preferences -> Advanced -> Encryption -> View Certificates
- For Chrome:
- Go to preferences
- Select "Show advanced settings" and under HTTPS/SSL click "manage certificate".
- Import the certificate into your login keychain.
- For MAC Safari open a Terminal
'open' mycert.pfx
Open recognizes either the .pfx or .p12 extension and will open the keychain so you can import the certificate.
Import the certificate into your login keychain.
IMPORTANT
Even though you can import your certificate to a series of different browsers, the only currently supported browsers to access BPKI-restricted sections of MyAFRINIC are Chrome and Firefox.
Bravo! You now have a BPKI certificate installed in your browser and you can now securely authenticate yourself to MyAFRINIC.
No, AFRINIC BPKI certificate is attached to a username with access to https://my.afrinic.net and used to digitally certify the user’s rights to perform particular tasks and access certain services online such as RPKI.
The certificate cannot be used on a domain nor its respective sub-domains.
BPKI Certificates are valid for 2 years and when it expires, the ROAs will not be visible from MyAFRINIC.
In case your BPKI certificate has expired, kindly refer to the following FAQs:
Requirements
- Download and install the latest version of OpenSSL on your pc/laptop. It works on Linux, macOS and Windows.
- Copy of AFRINIC's member certificate authority. This should be downloaded from http://ftp.afrinic.net/bpki/memberca.pem.txt
- Credentials to the registration authority enrolment page.
The username is nic-handle and the password is sent on email once the BPKI request is approved on MyAFRINIC portal. To request a password reset, get in touch with This email address is being protected from spambots. You need JavaScript enabled to view it.
With the above requirements in place, proceed with steps below to create a BPKI certificate.
-
Create a certificate signing request (CSR)
It is recommended to create a new folder and execute OpenSSL commands from that path, the generated and downloaded files will reside here. You may need administrative access to run some of these commands depending on the privileges on the pc/laptop
openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout privateKey.key
Sample Output
Country Name (2 letter code) []:MU
State or Province Name (full name) []:Ebene
Locality Name (eg, city) []:Cybercity
Organization Name (eg, company) []:AFRINIC Ltd
Organizational Unit Name (eg, section) []:Member Services
Common Name (eg, fully qualified hostname) []: NICHDL-AFRINIC
Email Address []: This email address is being protected from spambots. You need JavaScript enabled to view it.
Leave the challenge password [] as BLANK
The MANDATORY fields are
Common Name - nic-handle
Email - email address
Output
CSR.csr
privateKey.key
memberca.pem.txt - Download from http://ftp.afrinic.net/bpki/memberca.pem.txt -
Enrol generated CSR to the registration authority (RA)
Go to the registration authority (RA) enrolment page
https://externalra.afrinic.net/externalra-gui/facelet/enroll-csrcert.xhtml
username: NICHNL-AFRINIC
password: sent on email after BPKI approval
Certificate Request: Choose CSR generated from the file above
Response type: select PEM. Click on Send Certificate Request
Output - pem file, save this to the same folder as Step 1
NICHNL-AFRINIC.pem -
Generate a p12 file to be installed in the browser. The files on Step 1 and Step 2 will be used for this.
openssl pkcs12 -export -out NICHNL-AFRINIC.p12 -inkey privateKey.key -in NICHNL-AFRINIC.pem -certfile memberca.pem.txt
Password: sent on email
Output - p12 file
NICHNL-AFRINIC.p12 -
Install the p12 in your browser. AFRINIC recommends either Chrome or Firefox browser. Use the same password as Step 3.
Firefox
Advanced > Certificates > View Certificates > Import then import the p12
Chrome
On the chrome://settings page scroll down to ‘Advanced’
Under ‘Privacy and Security’ click ‘Manage Certificates’ and Import the p12
Restart the browser
Test access by logging in to MyAFRINIC and accessing the RPKI resources page
https://my.afrinic.net/resources/rpki/
NOTE
The certificate import varies depending on the operating system but install should be straight forward.
There are reported cases where the page could not be accessed because antivirus was blocking access to the installed certificate. The workaround is to add a whitelist of MyAFRINIC portal on the antivirus web protection.
- Log on to https://my.afrinic.net
- navigate to "My Account > BPKI".
- Click on below button
The non-admin contact shall receive an email with the credentials approximately 30 minutes after the admin contact has approved.
Once the credentials received, non-admin contact can enrol BPKI certificate as instructed here
If you are a technical, billing, abuse or general contact, you will be asked to request a BPKI certificate by clicking on the "Request BPKI certificate" button.
Your request will be sent to all the Administrative contacts of your organisation. Only if the admin contact already has a valid BPKI certificate, the system will grant him access to accept the BPKI request made by non-admin contacts of the organisation. If this is not the case, ask the admin contact to proceed as instructed here.
To request a BPKI certificate, connect to https://my.afrinic.net and navigate to "My Account > BPKI".
I've successfully generated and installed my BPKI certificate in my browser however when trying to create ROAs, I still see the verification page below:
Restart your browser or computer. If the issue still persist, send an email to service-support at afrinic.net.