The ARFNET CA is a privately run Certificate Authority for the operation of private and internal services in the ARFNET network primarily, and for encryption and signing of data inside or outside of ARFNET
As per policy, ARFNET clients may order certificate issuances by the ARFNET CA for the purposes of secure authentication in ARFNET services, signing, or other private.
The requester must order the 'cert' service, and then paste your PEM encoded CSR as a ticket at the ARFNET CSTIMS Dashboard, or send an email to pkimaster@arf20.com with a DER CSR attached or PEM in message. The message may be PGP or S/MIME signed but you must have your public key or certificate made available for verification. Failure to pass will result in ignored request and possibly CSTIMS user ban.
The X.509 CSR must include a Subject with the following: Country, Organization=ARFNET, OU=Client, Common Name, (UID, DC). The public key must be an ECC ECDSA curve of a field of at least 256-bit (prime256v1/P-256). Basic Constraint CA must be 0, Key Usage / X.509v3 Extended Key Usage must be one or more of the following: Digital Signature, Key Encipherment / TLS Web Client Authentication, E-mail Protection, Microsoft Smartcard Login. X.509v3 Subject Alternative Name MUST BE the email which you signed up in ARFNET CSTIMS or your actual ARFNET email address.
Failure to meet the X.509 and cryptographic requirements will be notified for correction, for which you will need to generate a new ECC private key
Client CSRs will be signed with the Issuing CA Certificate with a validity of 1 year since the date of submission