Firstly, about BPKI:

A BPKI Certificate (also known as a client X.509 certificate) is a Digital certificate provided to identify the holder of such certificate while performing an online transaction.
In the case of AFRINIC, the client certificate delivered will hold your NIC-HANDLE as Common Name (CN).
AFRINIC BPKI certificate will be used to digitally certify Organisation members’ right to perform and access certain services online such as RPKI and AFRINIC Board members Election.

How to submit a BPKI request?

To request a BPKI certificate, connect to https://my.afrinic.net and navigate to "My Account > BPKI".
NOTE: AFRINIC shall assist you only if you provide the below requested information/document and you have NO outstanding balances.

1. Administrative contact

If you are an administrative contact, kindly send us your identification information on service-support@afrinic.net

  1. Full name  
  2. E-mail address 
  3. NIC-HANDLE 
  4. Organisation's name 
  5. Scanned copy of an official, Government/State-issued, ID, passport, driver's license or company ID card.

2. Non-administrative account

If you are a technical, billing, abuse or general contact, you will be asked to request a BPKI certificate by clicking on the "Request BPKI certificate" button.

Your request will be sent to all the Administrative contacts of your organisation. Only if the admin contact already has a valid BPKI certificate, the system will grant him access to accept the BPKI request made by non-admin contacts of the organisation. If this is not the case, ask the admin contact to go back to step 1 ( 1. Administrative account) above.


How an admin contact can approve BPKI sent by a non-admin contact?

Log on to https://my.afrinic.net and navigate to "My Account > BPKI".
Click on smiley-face*.
*smiley-face:

The non-admin contact shall receive an email with the credentials approximately 30 minutes after the admin contact has approved.
Once the credentials received, non-admin contact to follow step 2. below on how to enroll for BPKI certificate.

How to enrol BPKI certificate?

AFRINIC recommends CSR generations on either Chrome or Firefox browser.

  1. It is highly advised to create a new folder in the path you are currently working where all the generated and downloaded files will be stored. For the successful creation of the .p12 file in step 6, you need to ensure that the folder holds the following before executing the command:
  • PrivateKey.Key
  • Memberca.pem.txt
  • NICHDL-AFRINIC.p12
  • NICHDL-AFRINIC.p12,

    Where the NICHDL will be your own NIC-HANDLE.
    Having all the listed files in one folder will facilitate the enrollment process.

2. Generate a new private key and Certificate Signing Request. You require openssl to do this.


on Linux/Mac:

Using command line on your terminal, download and install openssl “yum install openssl”. You may need root access in order to install the toolkit.
openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout privateKey.key

On Windows:

openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout privateKey.key

  • Enter your credentials.
  • On choose file, use the generated .csr file from step 1.
  • Select the PEM option and click on Send Certificate Request; Download and save the PEM file.
  • The next step is to generate a .p12 file to install in your browser.
  • First, download CA certificate here
    https://v2.afrinic.net/images/bpki/memberca.pem.txt
  • Next, use openssl to create the p12 file: openssl pkcs12 -export -out <NIC-HANDLE>.p12 -inkey privateKey.key -in <NIC-HANDLE>.pem -certfile memberca.pem.txt
    Note: The <NIC-HANDLE.pem> should be the file name downloaded from step 5 and NIC-HANDLE should be replaced by your own NIC-HANDLE.
  • Install the p12 on your browser.
    On Firefox: Go to Privacy and Security > View Certificates >Import certificate and insert the password which was used to encrypt the certificate.

BPKI Renewal

BPKI Certificates are valid for 2 years and when it expires, the ROAs will not be visible from MyAFRINIC. In case your BPKI certificate has expired, kindly follow step (Administrative contact) and step (How to enrol BPKI certificate?) above to renew it.

Did this answer your question?