Your IP address is

BPKI Enrolment Process


1) Introduction

A BPKI certificate, also known as a client X.509 certificate, is used to identify a user or a client. They are meant for authenticating a client to a server. In the case of AFRINIC, the client certificate delivered will hold your NIC-HANDLE as Common Name (CN). You must be an authorised contact of your organisation to obtain a BPKI certificate. A BPKI certificate is needed to access Resource Certification (RPKI) services.



2) How to request a BPKI certificate

To request a BPKI certificate,  connect to and navigate to "My Account > BPKI".


2.1. Administrative contact

If you are an administrative contact, you will have to send us your identification information:

  1. Full name
  2. E-mail address
  4. Organisation's name
  5. Scanned copy of an official Government/State-issue ID, passport, driver's license or company'ID card.

Please send the above details to  This e-mail address is being protected from spambots. You need JavaScript enabled to view it  along with the required documents.

1 admin_cert_request


2.2. Non-administrative contact

If you are a technical, billing, abuse or general contact, you will be asked to request a BPKI certificate by clicking on the "Request BPKI certificate" button.

2 request_bpki_button


Your request will be sent to all the Administrative contacts of your organisation. You need to follow up with them to know the status of your request.



3) Accepting or rejecting a BPKI request (for admin contacts only)

An email is sent to all admin contacts of an organisation when a non-admin contact makes a BPKI request. Below is an example of an email sent to administrative contacts.

2.2 non-admin_cert_request_email


To accept a BPKI request made by non-admin contacts of the organisation, navigate to "My Account -> BPKI". The system will grant you access to this section only and only if you (as admin-contact ) already have a valid BPKI certificate. If not go back to step 2.1.

2.3 accept_reject_interface


You can then accept or reject a BPKI request of somebody from your organisation.



4. Invitation to request your BPKI certificate

Once your BPKI request has been approved either by the Hostmaster (for admin contacts) or by your organisation's administrative contact, you will receive an email like the one below:

3 bpki_invitation_to_retrieve



5. Enrol your BPKI certificate

To enroll your BPKI certificate you will have to connect to the External RA(Registration Authority) service. 


Create a certificate from a CSR (manual process)

To be able to generate a key pair, you need to have OPENSSL installed. *nix platforms are usually bundled with OPENSSL, for Windows please visit click here


  • Generate a new private key and Certificate Signing Request
openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout privateKey.key 

Please fill out the information requested for the CSR.



1) The Common Name (e.g. server FQDN or YOUR name) should be (i.e the username received in the invitation email)

2) You have just generated a private key for your BPKI certificate. Please keep it safe and back it up. In case the key is compromised, please send an email immediately to  This e-mail address is being protected from spambots. You need JavaScript enabled to view it  , we shall revoke your certificate.

3) You should leave the challenge password blank otherwise the system will ask for the challenge password everytime the certificate is used.


5.1 enrolment csr


Make sure you select "PEM" and click on "Send Certificate Request". A certificate in pem format will be downloaded. Save it to the same folder as the CSR and private key generated under the name .pem.

Convert the PEM certificate into a PKCS#12 format (p12). To be able to do this, you will need to have the CA certificate of the client certificate. Copy and save the memberca certificate as "memberca.pem" under the same folder as above. And execute the following command:


openssl pkcs12 -export -out <NIC-HANDLE>.p12 -inkey privateKey.key -in <NIC-HANDLE>.pem -certfile memberca.pem

Output: your certificate in p12 format <NIC-HANDLE>.p12


  • Now you need to import the certificate in your keychain or browser certificate keystore. To import a certificate in your browser:
    • For Firefox:
      • Linux: open Edit -> Preferences -> Advanced -> Encryption -> View Certificates 
        Windows: open Tools -> Options -> Advanced -> Certificates -> Manage Certificates 
        MAC: open Firefox -> Preferences -> Advanced -> Encryption->View Certificates
      • click import and enter the filename (mycert.p12 or mycert.pfx on a MAC)
    • For Chrome:
      • Go to preferences
      • Select "Show advanced settings" and under HTTPS/SSL click "manage certificate".
      • Import the certificate into your login keychain.
    • For MAC Safari open a Terminal
'open' mycert.pfx

Open recognizes either the .pfx or .p12 extension and will open the keychain so you can import the certificate.

Import the certificate into your login keychain.


Even though you can import your certificate to a series of different browsers, the only currently supported browsers to access BPKI-restricted sections of MyAFRINIC are Chrome and Firefox.


Bravo! You now have a BPKI certificate installed in your browser and you can now securely authenticate yourself to MyAFRINIC.


(Page 1 of 5)

Profile Information

Application afterLoad: 0.003 seconds, 0.71 MB
Application afterInitialise: 0.071 seconds, 2.70 MB
Application afterRoute: 0.110 seconds, 5.95 MB
Application afterDispatch: 0.186 seconds, 7.71 MB
Application afterRender: 0.414 seconds, 10.58 MB

Memory Usage


10 queries logged

  1. SELECT m.*, c.`option` AS component
      FROM www3menu AS m
      LEFT JOIN www3components AS c
      ON m.componentid =
      WHERE m.published = 1
      ORDER BY m.sublevel, m.parent, m.ordering
  2. SELECT jf_content.reference_field, jf_content.VALUE, jf_content.reference_id, jf_content.original_value

      FROM www3jf_content AS jf_content

      WHERE jf_content.language_id=1
      AND jf_content.published=1
      AND jf_content.reference_id IN(1,11,20,304,324,262,231,275,340,393,791,661,12,51,348,805,831,13,52,154,795,14,24,53,793,15,797,16,62,803,17,799,68,97,27,387,619,191,221,172,170,76,171,337,418,521,845,175,174,177,237,176,499,511,455,481,523,547,671,184,185,188,423,837,527,179,181,204,235,156,158,159,384,475,675,629,160,161,162,157,192,621,268,270,266,321,264,265,338,416,483,519,843,276,283,278,282,477,677,279,631,280,281,429,277,382,305,306,307,308,424,835,317,330,318,319,320,325,326,327,328,529,341,342,343,345,350,349,408,351,354,745,489,509,356,479,525,549,673,388,400,403,404,405,406,419,513,399,394,396,397,395,617,615,663,665,801,414,163,731,733,735,737,715,739,741,789,743,269,271,272,292,289,290,291,293,294,339,295,420,386,807,811,285,286,288,819,383,287,515,567,809,817,415,284,633,763,315,312,561,563,565,767,314,380,517,332,333,334,335,336,370,346,347,311,378,787,352,364,362,365,833,719,366,367,368,411,412,453,825,379,357,358,359,360,361,371,431,459,463,467,469,471,473,531,533,537,539,541,543,545,599,609,601,605,485,487,491,493,495,497,551,553,557,559,841,573,575,577,579,581,583,585,591,589,777,779,813,749,751,753,755,747,757,759,761,783,373,374,375,376,721,417,829,669,353,413,461,535,781,727,667,611,597,603,815,769,635,637,639,641,645,643,647,649,651,653,655,657,659,785,821,823,827,697,701,703,705,707,709,711)
      AND jf_content.reference_table='menu'
  3. SELECT *
      FROM www3rokcandy
      WHERE published=1
  4. SELECT template
      FROM www3templates_menu
      WHERE client_id = 0
      AND (menuid = 0 OR menuid = 416)
      ORDER BY menuid DESC
      LIMIT 0, 1
  5. SELECT a.*, AS author, u.usertype, cc.title AS category, s.title AS SECTION, CASE WHEN CHAR_LENGTH(a.alias) THEN CONCAT_WS(":",, a.alias) ELSE END AS slug, CASE WHEN CHAR_LENGTH(cc.alias) THEN CONCAT_WS(":",, cc.alias) ELSE END AS catslug, AS groups, s.published AS sec_pub, cc.published AS cat_pub, s.access AS sec_access, cc.access AS cat_access  
      FROM www3content AS a
      LEFT JOIN www3categories AS cc
      ON = a.catid
      LEFT JOIN www3sections AS s
      ON = cc.SECTION
      AND s.scope = "content"
      LEFT JOIN www3users AS u
      ON = a.created_by
      LEFT JOIN www3groups AS g
      ON a.access =
      WHERE = 1399
      AND (  ( a.created_by = 0 )    OR  ( a.state = 1
      AND ( a.publish_up = '0000-00-00 00:00:00' OR a.publish_up <= '2023-11-29 17:39:50' )
      AND ( a.publish_down = '0000-00-00 00:00:00' OR a.publish_down >= '2023-11-29 17:39:50' )   )    OR  ( a.state = -1 )  )
  6. SELECT jf_content.reference_field, jf_content.VALUE, jf_content.reference_id, jf_content.original_value

      FROM www3jf_content AS jf_content

      WHERE jf_content.language_id=1
      AND jf_content.published=1
      AND jf_content.reference_id IN(1399)
      AND jf_content.reference_table='content'
  7. UPDATE www3content
      SET hits = ( hits + 1 )
      WHERE id='1399'
  8. SELECT *
      FROM www3jcomments_settings

      WHERE lang = 'en-GB'
  9. SELECT id, title, module, POSITION, content, showtitle, control, params
      FROM www3modules AS m
      LEFT JOIN www3modules_menu AS mm
      ON mm.moduleid =
      WHERE m.published = 1
      AND m.access <= 0
      AND m.client_id = 0
      AND ( mm.menuid = 416 OR mm.menuid = 0 )
      ORDER BY POSITION, ordering
  10. SELECT jf_content.reference_field, jf_content.VALUE, jf_content.reference_id, jf_content.original_value

      FROM www3jf_content AS jf_content

      WHERE jf_content.language_id=1
      AND jf_content.published=1
      AND jf_content.reference_id IN(79,330,35,326,331,293,347,345,329,292,335)
      AND jf_content.reference_table='modules'

Language Files Loaded

Untranslated Strings Diagnostic


Untranslated Strings Designer