Skip to Main Content

Nominet

Log in to the online service
Log in to Online Services
Skip Primary Navigation
Skip All Secondary and Tertiary Navigation
  
Print this page  | Contact Us

Obtaining a certificate to use when signing tokens

In order to sign tokens for registrars to a security certificate is needed. A request for this must be made via UKEC, the process is as follows and shown in the diagram below:

  • The VA generates a Certificate Signing Request (CSR) and private key.
  • The VA sends the CSR to UKEC.
  • UKEC forwards the CSR to us.
  • We generate the certificate using our Certificate Authority (CA) and send the signed certificate to UKEC.
  • UKEC deliver the signed certificate to the VA.

The signed certificate can then be used to generate tokens for registrars to embed in EPP requests. The tokens are validated against our CA when EPP requests are received.

Diagram showing process of obtaining a certificate to use when signing tokens

Fig.1  Diagram showing process of obtaining a certificate to use when signing tokens.

 

Technical details for each phase of the VA process


Generating a Certificate Signing Request(CSR)

If yourVA is the Validation Agency identifier assigned by UKEC, a CSR yourVA.req and private key yourVA.key can be generated using the openssl toolkit.

openssl req -new -nodes -keyout yourVA.key -out yourVA.req

The commonName field must be supplied to openssl.

A certificate file yourVA_cert.pem will be generated once the CSR has been forwarded to us by UKEC.

Generating a token

Tokens must be generated using exclusive canonicalization and SHA-1 must be used for the digest.

Two example methods of generating a token are given here:

Use of templatesign


  • Start with an example of an entire EPP Create
  • Put the token details in the <validation> and <tokendata> sub-elements.
  • use templatesign from the Apache XML-security project. 
  • templatesign -r yourVA.key password -c -x yourVA.pem request.xml > request_signed.xml
  • option "-r keyfile password" signs with specified key (any text can be used for the password if the keypair was generated without one, i.e. the -nodes option)
    option "-c" removes the existing certificate
    option "-x certfile" inserts your certificate
  • check the output file with checksig
  • Note: signatures generated by templatesign will not remain valid if the XML is changed, so it is necessary to have the entire EPP Create when signing.

Use of Oxygen


  • Create an unsigned token with no signature elements. The <token> element should contain an id attribute set to "token".
  • Oxygen requires a PKCS#12 version of the token. To extract this, use
    •  openssl pkcs12 -export -in yourVA_cert.pem -inkey yourVA.key -name "yourVA" -out yourVA_cert.p12
  • openssl will ask for a password for the PKCS#12 keystore, set one of your choosing.
  • In Oxygen, use preferences->certificates to import the yourVA_cert.p12. Oxygen requires a "Keystore Password" - this is the password you entered when exporting the pkcs12 version of the certificate.
  • Use Tools->Sign to sign the token.
    • Put the filename of the token you want to sign in the input URL box
    • Choose Transformation Options "Exclusive"
    • Choose "Envelope" and put in ID "TOKEN"
    • Leave XPath blank
    • Put the desired filename of the signed token in the Output File box
  • Check that the token was correctly signed, using Oxygen's "Tools->Verify Signature" option.
  • A token signed by Oxygen in this way will remain valid when enveloped in another XML file, i.e. an EPP Create. 
  • Check that the final EPP Create command is valid XML, and that the signature can be verified, before sending to Nominet's EPP server.

Use of Apache XML-Security

 
ENUM
Related Contacts
For questions about ENUM Telephone: 01865 332277Email:
 
 
© Nominet UK 1996-2010  |  Accessibility  |  Site Map  |  Feeds  |  Glossary  |  Privacy Policy  |  Terms of Use