All registration, renewal and registrar transfer requests made to the testbed must contain a valid token. These tokens must have been signed by a certificate held by the Certificate Authority for the testbed. This is separate to the Certificate Authority for the live server and is available to all users of the testbed.

To obtain a certificate to generate tokens for the testbed, follow these steps:

• Obtain access to the testbed.
  
• Generate a Certificate Signing Request (CSR) and private key. Details of how to do this are below.
  
• Send the CSR to the Member & Registrar Services Department at Nominet.
  

We will sign the CSR and return the certificate to you.

The certificate can then be used to sign tokens to embed in requests to the testbed. Token validity can be checked by using Nominet's certificate which is available on request.

To generate a CSR and private key

Run the following command

openssl req -new -nodes -keyout yourVA.key -out yourVA.req

The CSR is the resultant yourVA.req file and the private key is the yourVA.key.

Signing a token

An XML tool such as Oxygen or templatesign from the Apache XML Security project can be used to sign tokens.

The token must be signed using exclusive canonicalization, and SHA-1 must be used for the digest.  An example token and methods to generate tokens are available.

Verification

An invalid Create command will be refused.  If this happens - EPP returns a syntax error - it is recommended that you take the following actions to help diagnose the problem.

• check the token, and/or the entire Create command including the token, for validity against the XML schemas. 
  
• check that the token is a valid XML signature (if generated on its own)
  
• check that the entire Create command contains a valid signature

To check against the XML schemas, see the README file in the Schema tarfile. To verify the signature, you can use checksig from the Apache XML Security project.