Certificate Authority
The purpose of the ARFNET Certificate Authority (CA) is for the operation of Public Key Infrastructure (PKI), for enabling the use of internal TLS tunneling with authentication, as well as issuing user and client certificates to authenticate, authorise, sign and encrypt data inside and outside of ARFNET
Certificate Signing Request (CSR) submissions
As per policy, ARFNET clients may order certificate issuances by the ARFNET CA for the purposes of secure authentication in ARFNET services, signing, or other private.
The requester must order the 'cert' service, and then paste your PEM encoded CSR as a ticket at the ARFNET CSTIMS Dashboard, or send an email to pkimaster@arf20.com with a DER CSR attached or PEM in message. The message may be PGP or S/MIME signed but you must have your public key or certificate made available for verification. Failure to pass will result in ignored request and possibly CSTIMS user ban.
The X.509 CSR must include a Subject with the following: Country, Organization=ARFNET, OU=Client, Common Name, (UID, DC). The public key must be an ECC ECDSA curve of a field of at least 256-bit (prime256v1/P-256). Basic Constraint CA must be 0, Key Usage / X.509v3 Extended Key Usage must be one or more of the following: Digital Signature, Key Encipherment / TLS Web Client Authentication, E-mail Protection, Microsoft Smartcard Login. X.509v3 Subject Alternative Name MUST BE the email which you signed up in ARFNET CSTIMS or your actual ARFNET email address.
Failure to meet the X.509 and cryptographic requirements will be notified for correction, for which you will need to generate a new ECC private key
Test your ARFNET User Certificate validity here
Architecture
- ARFNET Root CA
- ARFNET Issuing CA
- TLS Server Certificates
- TLS Client Certificates
- User Certificates
- ARFNET Issuing CA