APNIC Certification Authority FAQ
Contents
General information
- Why do I need an APNIC digital certificate?
- How can I obtain an APNIC digital certificate?
- After submitting the online certificate request form, can I send my photo identification and hardcopy form by scanned image instead of fax?
- What is APNIC root certificate? How is it different from my certificate and why do I need to install it?
- What can I use the certificate for?
- Can I sign emails with my certificate?
Technical information
- What is private/public key? How do they work and how are they related to the certificate?
- How do I check if my APNIC-issued certificate is installed and see its details?
- Which browsers have been tested and found to work with APNIC digital certificates?
- Netscape/Mozilla/Firefox/Opera asks for the software security device password. What does this refer to?
- I'm using Mac OS/X. Is there anything I should know about installing a certificate in OS/X?
- How do I backup my certificate or copy it to a different computer/browser?
Problems and troubleshooting
- I cannot verify my certificate after the installation. What should I do?
- My computer crashed and I cannot recover my certificate. What should I do?
- I have submitted a certificate request from https://www.apnic.net/ca, but APNIC has not processed my certificate. Why?
- I have installed my certificate, but cannot access MyAPNIC. What should I do?
- I'm using Internet Explorer, but I cannot complete the certificate request (an error occurred). What should I do?
- I'm using Netscape/Mozilla/Firefox. When downloading the certificate it doesn't look like it's doing anything. What should I do?
- I got an error message when I requested a certificate using Windows Vista and Internet Explorer.
- I have a problem that is not listed in this FAQ page. Who should I contact?
General information
Why do I need an APNIC digital certificate?
You will need an APNIC certificate to access secured services of APNIC. MyAPNIC requires you to have the digital certificate installed in your browser. There will be other services in the future that will make use of your digital certificate.
How can I obtain an APNIC digital certificate?
This is a two stage process:
- First, fill in the online form at https://www.apnic.net/ca.
- Second, after submitting the form, you will be asked to fax your photo identification and a hardcopy form. Important ? APNIC will not process your request until we receive these documents from you.
After submitting the online certificate request form, can I send my photo identification and hardcopy form by scanned image instead of fax?
Yes. Please send an email to ramanager@apnic.net with the scanned documents attached.
What is APNIC root certificate? How is it different from my certificate and why do I need to install it?
APNIC root certificate is the certificate used by APNIC to sign your digital certificate. The APNIC root certificate must be installed in the list of trusted Certification Authorities (CA) in your computer or browser. Root certificates from well known Certification Authorities such as Verisign, Thawte, Entrust are probably installed in your browser by default. This process will add the APNIC root certificate to the trusted CA list.
What can I use the certificate for?
You can use the certificate to access secured APNIC services such as MyAPNIC. You can also use it to digitally sign or encrypt e-mail and documents within APNIC community.
Can I sign emails with my certificate?
Yes. However, your email recipients must also recognize APNIC as a trusted Certification Authority by installing APNIC root certificate in their computers or mail software.
Technical information
What is private/public key? How do they work and how are they related to the certificate?
In public key cryptography, data that has been digitally signed or encrypted by a private key can only be validated or decrypted by its corresponding public key, and vice versa. Your private key should be kept secure and never revealed to other parties. Your public key, on the other hand, should be as widely distributed as possible so other parties can validate and decrypt data signed by you and send the data back to you securely. Your certificate contains your identity (name, e-mail, country, APNIC account name) and your public key. Its authenticity is certified by APNIC. More information can be obtained by searching the Internet using the keywords 'public key cryptography'.
How do I check if my APNIC-issued certificate is installed and see its details?
One way is to point your browser to https://www.apnic.net/ca/part-4.html and click 'Next'. If the next page correctly shows your identity and certificate detail then your certificate has been correctly installed. Note that this only works with certificates issued by APNIC.
Other ways to view details of your certificate depend on the software you use. Some examples are:
- Internet Explorer: Tools -> Internet Options -> Content -> Certificates
- Mozilla/Netscape: Edit -> Preferences -> Privacy & Security -> Certificates -> Manage Certificates
- Firefox: Tools -> Options -> Advanced -> Manage Certificates
- Opera: Tools -> Preferences -> Security -> Manage Certificates
- Safari: Use the Keychain Access utility
Which browsers have been tested and found to work with APNIC digital certificates?
- Microsoft Internet Explorer
- Netscape
- Mozilla
- Opera (Identify as Mozilla 5.0)
- Firefox
- Safari
- MyIE2
Netscape/Mozilla/Firefox/Opera asks for the software security device password. What does this refer to?
These browsers maintain a secured file where they put all the private/public keys and certificates. This file is encrypted and protected by a password, which is usually called the software security device password.
I'm using Mac OS/X. Is there anything I should know about installing a certificate in OS/X?
When using Safari, OS/X stores and manages the private/public keys and certificates with a utility called 'Keychain Access'. When downloading a certificate from the APNIC website, Safari won't automatically install it. It will just copy the certificate to the desktop. Double clicking the certificate will invoke Keychain Access, which will guide you to install it into the system.
When using any of the other browsers mentioned above, the certificate will be installed automatically by the browser.
How do I backup my certificate or copy it to a different computer/browser?
- Internet Explorer:
- Tools -> Internet Options -> Content -> Certificates
- Highlight your certificate and click 'Export'. Follow the wizard and make sure you export the private key. This will produce a file with extension .pfx.
- Copy this file to the other computer and start the browser.
- Tools -> Internet Options -> Content -> Certificates
- Click Import, point it to the recently copied .pfx file and follow the wizard.
- Netscape/Mozilla:
- Edit -> Preferences -> Privacy & Security -> Certificates -> Manage Certificates
- Highlight your certificate and click 'Backup'. Follow the instruction on screen. This will produce a file with extension .p12.
- Copy this file to the other computer and start the browser.
- Edit -> Preferences -> Privacy & Security -> Certificates -> Manage Certificates
- Click Import and point it to the recently copied .p12 file. Follow the instructions on screen.
- Firefox:
- Tools -> Options -> Advanced -> Manage Certificates
- Highlight your certificate and click 'Backup'. Follow the instructions on screen. This will produce a file with extension .p12.
- Copy this file to the other computer and start the browser.
- Tools -> Options -> Advanced -> Manage Certificates
- Click Import and point it to the recently copied .p12 file. Follow the instructions on screen.
- Opera:
- Tools -> Preferences -> Security -> Manage Certificates
- Highlight your certificate and click 'Export'. Type the backup filename, making sure you type .p12 as the extension. Follow the instructions on screen. This will produce a file with extension .p12.
- Copy this file to the other computer and start the browser.
- Tools -> Preferences -> Security -> Manage Certificates
- Click Import and point it to the recently copied .p12 file. Follow the instructions on screen.
- Safari:
- Open the Keychain Access utility and click the ?Show Keychains? button.
- If you have more than one keychain, view each one to identify which contains the certificate issued to you by APNIC.
- Using Finder, go to Users -> your-username -> Library -> Keychains. Copy the relevant keychain file to the destination of your choice.
- If you want to install this keychain in another Mac OS X computer, double-click the file. It should now be stored in the Keychain Access utility on this computer. If necessary, use Keychain access to remove other certificates or passwords that may also be contained in that keychain.
Problems and troubleshooting
I cannot verify my certificate after the installation. What should I do?
- When downloading your certificate, make sure that you are using the same computer and browser that you used to submit the certificate request. This is important as the private key is stored there. The certificate will not be correctly installed if the private key is missing.
- There are rare cases where your browser might have lost its private key (due to a virus or corrupted file system). The only solution to this problem is to submit a new certificate request. The new request will automatically generate a new private/public key pair for you. If this happens to you, please email ramanager@apnic.net explaining the situation so that your new request gets priority processing.
My computer crashed and I cannot recover my certificate. What should I do?
- Please submit a new certificate request from https://www.apnic.net/ca, and email ramanager@apnic.net explaining your situation so that your new request gets priority processing.
- When you receive your new certificate, to avoid the same problem, please make a backup copy of your certificate and private key (see the FAQ on backing up and copying certificates to another computer/browser).
I have submitted a certificate request from https://www.apnic.net/ca, but APNIC has not processed my certificate. Why?
- The most common explanation for this is that APNIC has not received your faxed form with your photo identification. However, if you have sent it, please email ramanager@apnic.net and we will track down your fax.
- Note that you can also scan the hardcopy form and photo identification and send them as attachments to ramanager@apnic.net.
I have installed my certificate, but cannot access MyAPNIC. What should I do?
- Make sure that your certificate is installed correctly (see FAQ on checking the installation).
- Try to backup or export your certificate and private key to a file, and import it back into your browser. If you can't backup your certificate, then there is a possibility that your private key has been lost or corrupted. Please obtain a new certificate from https://www.apnic.net/ca.
- If you can backup and reinstall your certificate, but still cannot access MyAPNIC, then send an email to ramanager@apnic.net explaining your situation. We will check the problem from our side.
I'm using Internet Explorer, but I cannot complete the certificate request (an error occurred). What should I do?
You may need to install the security fixes mentioned in Microsoft Security Bulletins MS02-048 and MS02-050. Please visit the Microsoft website to download and install these fixes.
I'm using Netscape/Mozilla/Firefox. When downloading the certificate it doesn't look like it's doing anything. What should I do?
These browsers install the certificate automatically without giving user feedback. There is a good chance that your certificate has been installed correctly. Please see the FAQ on how to check if the installation is successful.
I got an error message when I requested a certificate using Windows Vista and Internet Explorer.
This is a known problem caused by the changes in how Windows Vista handles certificate requests. For a temporary solution, please install Mozilla/Firefox on your Windows Vista computer, and use it to request an APNIC certificate. You can then back up the certificate from Mozilla/Firefox and import it into Internet Explorer. APNIC is working to fix this problem permanently. In the meantime we appreciate your patience and understanding.
I have a problem that is not listed in this FAQ page. Who should I contact?
Send an email to ramanager@apnic.net explaining your situation. We will respond to your mail within 48 hours.
