Certificate Cryptographic Authentication at ARIN

What is a certificate?

A certificate is a digital document that binds a 'key pair,' a portion of which is kept secret, to a person. The certificate can then be used to digitally sign electronic transmissions (such as e-mails), so that the recipient of the electronic transmission can digitally verify the message came from the person that's holding the certificate.

What type of certificates is ARIN using?

ARIN is issuing X.509 certificates, so ARIN is acting as a Certificate Authority (CA). The CA certifies that individuals, in our case Points of Contact (POCs), hold keys that can be used to sign e-mail messages containing text and/or registration templates being sent to ARIN. For more information on X.509, see IETF RFCs 3280, 3647, and 3739, and ITU-T Recommendation X.509.

Why would I want a certificate from ARIN?

Certificates issued by ARIN offer more reliable authentication than checking a sender's e-mail address to establish the sender's identity (called MAIL-FROM authentication). When using X.509 authentication, you can have increased confidence that others cannot manipulate your ARIN-held records. It also increases ARIN's confidence that messages from you are genuine and haven't been altered in transit.

How can I use a certificate in interactions with ARIN?

Currently, the only acceptable use of ARIN certificates is for signing e-mail containing templates or other correspondence that a POC sends to ARIN.

Will my certificate be useful for other ARIN purposes in the future? Will ARIN accept other forms of strong authentication?

ARIN may extend the use of X.509 certificates in the future, in accordance with community feedback and after evaluation. ARIN also offers Pretty Good Privacy (PGP) as an authentication method.

Is my certificate useful for authenticating myself to third parties? Can I sign e-mail to other people with my certificate?

No. An ARIN-issued certificate is only authorized for use in signing e-mail that you send to ARIN. It's expressly prohibited for you to use the certificate to sign e-mail that you send to anyone else; the third-party recipient has no way of validating whether your certificate is valid. This prohibition is a condition of accepting and using an ARIN certificate, and is detailed in ARIN's Certification Practice Statement [CPS], which is available at http://www.arin.net/CA/cps.html .

What exactly is certified by an ARIN certificate?

It certifies that the POC holding the certificate is known and verified by ARIN. It also certifies that e-mails signed with the certificate and sent to ARIN are unaltered in transit and are genuine. At this time it's not used to certify any other facts about the POC, and bestows no other special privilege or authorization upon the POC.

Who is eligible to request a certificate?

ARIN will only accept requests for certificates from POCs that are associated with a qualifying organization as an Admin or Tech POC. Qualifying organizations include any organization that has an existing signed Registration Services Agreement (RSA) with ARIN. Special rules, described later in this document, apply to role account POCs.

How do I request a certificate?

ARIN has created a browser-based procedure to make the request process as simple as possible. You can visit http://ca.arin.net/request for an overview of the process and begin your application. Alternately, you may fill out a CERT-REQUEST template, found at http://www.arin.net/registration/templates, and manually generate a Certificate Signing Request (CSR) using software such as OpenSSL. ARIN strongly recommends using the browser-based process so that you do not have to install and use separate software packages to generate your request.

I am getting pop-up boxes when I use the certificate request pages. What's going on?

When you request a certificate with your browser, the server instructs your browser to use its own cryptographic engine to generate a key pair for you, and to use the public portion of the key pair as the identification that transmits to ARIN and ends up as part of the certificate request. Depending on your browser, you may be asked to allow permission or provide your password for the cryptographic engine to generate the key pair, to allow the request process to continue, or to acknowledge the type of browser you are using. If you click 'Yes' or 'OK' to these prompts and provide the proper password (this is your password for your repository on your computer), the process will work successfully. For support on using your operating system's repository, consult your OS or browser documentation.

Which browsers does ARIN recommend for requesting certificates?

ARIN has tested and recommends the use of recent versions of Internet Explorer and Mozilla/Netscape-based browsers. We have specifically tested Opera and have found that its certificate handling is deficient, and thus do not recommend its use. You may also use an SSL-enabled text browser such as w3m, although you will need to refer to w3m documentation for information on retrieving key pairs and certificates and using them with SSL.

What happens after I request my certificate using the browser-based request process?

After you visit the ARIN certificate request page, you will receive an e-mail complete with your information and with a cryptographically-encoded Certificate Signing Request (CSR). You must forward that e-mail, unchanged, to hostmaster@arin.net, using an e-mail account that is already authorized to send updates for your POC handle. ARIN will then process your request.

Can I request a certificate for someone else in my organization?

No. Certificates must be requested by the POC for whom the certificate will be issued.

My POC is a role account. Can I request a certificate for the role?

Yes, but only if the Admin POC is an individual, which is already strongly recommended by ARIN. Admin POCs that are role accounts, and any POCs associated with organizations whose Admin POCs are role accounts, are ineligible to apply for a certificate.

More than one person uses our POC role account. Can we still request certificates?

Yes. You may choose to request certificates in two ways. One way is to request only one certificate for the account, and once you receive the certificate, to share it among all operators of the role account. Another way is for each user of the role account to request a certificate for the account, each on his/her own computer. Note that both methods have advantages and disadvantages: the first method is easier, but carries some inherent risk since the certificate and the keys to sign messages are shared among multiple people; the second method is more secure, but requires the first certificate recipient to sign the requests of all other requestors before sending the requests to ARIN.

What steps will ARIN take to verify a person's identity before issuing a certificate?

ARIN will lead applicants through a number of steps to verify their identity including, but not limited to, the submission of government-issued identification and corporate documentation.

What kind of information does ARIN collect?

ARIN collects three types of information. We collect data that identifies you personally, the qualifying organization, and your relationship to that organization.

What does ARIN do with the information it collects?

ARIN keeps your personal information secure to protect your privacy. ARIN never releases information to third parties except to law enforcement or court officials when legally compelled through court order.

How long does the identification process take?

It depends upon the amount and quality of documentation required to positively identify the requestor, the requestor's qualifying organization, and the relationship between the requestor and the organization. It is not unusual for this process to take several days; in the meantime, all other existing forms of authentication will continue to work as usual.

I received an e-mail from ARIN notifying me that my request is approved and that I can pick up my certificate. How do I do that?

Follow the instructions in your e-mail by clicking on the enclosed link, or pasting it into your browser, and navigating to the page indicated and filling out information. If you are not using a browser and must receive your certificate via e-mail, forward a message to hostmaster@arin.net requesting e-mail delivery of your certificate. ARIN strongly recommends attempting to pick up your certificate using the browser method.

I want to pick up my certificate. Can I do this from any browser, or any computer?

It is not recommended. ARIN very strongly advises picking up your certificate using the same browser and same computer that you used to request the certificate. If this is not possible, you may contact hostmaster@arin.net to request e-mail delivery, noted above. Using the same browser and computer that you requested the certificate with ensures that the certificate is downloaded into the same certificate repository that generated the original key pair in the request.

I have retrieved my certificate. Am I ready to sign e-mails?

No, not yet. Once you have retrieved your certificate, you are halfway there - because for many Mail User Agents (MUAs), you also need ARIN's CA Certificate as the "authority" from which your certificate gets its ability to sign e-mails. To get ARIN's CA Certificate, follow the instructions on the web pages that you'll see after you pick up your certificate, or contact hostmaster@arin.net for e-mail delivery of ARIN's CA Certificate, and import it into your repository.

I have downloaded and installed my certificate and ARIN's CA Certificate. How do I make them available to my Mail User Agent (e.g. mail software)?

If your MUA uses the same certificate repository as your browser, your MUA probably already knows about the certificate. For example, this is the case with an IE browser coupled with Microsoft Outlook Express as an MUA; they both use the same certificate repository. The same holds true for Mozilla-based browsers (like Netscape) and Netscape Mail.

On the other hand, if your browser's repository is not accessible from your MUA, you will need to follow the instructions in your browser to 'export' your certificate (along with its 'certificate chain,' which will include ARIN's CA Certificate), and then you'll need to import it into your MUA's certificate repository.

I think I have a certificate installed, but my MUA does not see the certificate. Help!

Because of the wide variety of MUAs and browser combinations, ARIN cannot provide specific help on getting your MUA to use a certificate properly. We suggest that you examine your MUA's documentation to be sure that it supports X.509 certificates, that you have enabled the proper settings in your MUA to take advantage of the certificate, and have properly tied the certificate to the mail account in your MUA for which the certificate is expected to work. You may also need to instruct your MUA to "trust" ARIN's CA, a setting that should be in your MUA's documentation.

Should I make backup copies of my certificate and my key?

Yes, but you should keep them very safe. If they are compromised, anyone who gets them can assume your identity, thereby gaining the ability to update your ARIN records.

Does ARIN specify which MUAs work with its X.509 certificates?

No. Due to the large variety of possible client configurations and features, please consult the documentation and technical specifications of your MUA to determine if it fully supports the X.509 standard.

How do I get my MUA to sign an e-mail?

While all MUAs are different, there is usually either a menu option or a clickable button that will let you choose to digitally sign the e-mail and choose which certificate to use. If you're having problems, refer to your MUA's documentation, and be sure you've downloaded ARIN's CA Certificate and instructed your MUA to "trust" ARIN.

What if I use scripts to generate e-mail templates to ARIN?

Many ARIN customers use scripts to generate templates, especially those submitting large volumes of SWIP information. After requesting and receiving a certificate, you can use OpenSSL to sign e-mail, and you can invoke the OpenSSL program with a script that will sign the e-mail. We offer an example at http://www.arin.net/CA/index.html#help ; additional information is available at http://www.openssl.org/docs/apps/smime.html.

Now that I have a certificate, do I have more privileges in ARIN's database than before?

No. A certificate's only purpose is to identify the sender more authentically; your ability to perform actions in ARIN's database (called authorization ) does not change.

I'm away from my computer that has my certificate, but I need to send e-mail to ARIN. Can I still use MAIL-FROM authentication?

No. Once you're identified by ARIN as using a strong authentication method such as X.509 certificates or PGP, you may no longer submit unsigned e-mails to ARIN. This is for your protection so that a third party cannot spoof your e-mail address and then send templates to us. See 'certificate management' below for further information.

What if I use an MUA that does not support X.509 certificates?

You have several options.

Consider switching to a supported MUA
Consider using an MUA that will let you follow up with signing with OpenSSL
Consider waiting for another strong authentication method that your mailer supports
Continue using MAIL-FROM authentication

For how long is an ARIN-issued certificate valid?

Two years from date of issue.

How do I know when my certificate is about to expire?

Most browsers and OpenSSL provide a facility for examining the clear-text portions of your certificate, which displays the expiration date. However, ARIN will notify you by e-mail before your certificate expires so that you can apply for a renewal before the old one becomes invalid.

What's the renewal process? Do I have to be 'reverified?'

When ARIN notifies you that your certificate is going to expire, it is in your best interest to renew before its expiration date. Follow the instructions enclosed in the notification e-mail. The process will entail requesting a new certificate, then signing the request with a currently valid certificate, and forwarding it to ARIN.

I forgot to renew my ARIN certificate, and now it has expired. What now?

As a security measure, your POC does not automatically 'revert' to MAIL-FROM authentication. If your certificate has expired, ARIN cannot accept signed e-mails from you. However, ARIN will work with you to get you recertified; you will need to go through the certificate request process again to establish identity and receive a new certificate, but ARIN has processes in place to help you to get recertified quickly.

My private key or certificate has become compromised due to loss, theft, or disclosure. What do I do?

Contact ARIN immediately by submitting an e-mail to hostmaster@arin.net notifying us of the compromise, or call the ARIN Help Desk at +1.703.227.0660. You will be asked for specific identifying information including a challenge phrase to verify your identity, and once verified, ARIN will take appropriate steps to safeguard your records and start you on the process to obtaining a new certificate.

What happens if my certificate is erased or does not work?

Contact ARIN. We may have you apply for a new certificate, or after establishing a positive identification, permit you to download your existing certificate. Your best protection against this problem is to back up your certificate and its associated keys securely upon receipt.

Can I have more than one certificate? Why would I want to have more than one?

Yes. Reasons might include adding a new certificate before the old one expires, and multiple certificates to cover various locations of private key installations.

Relevant Links

Certificate Cryptographic Authentication at ARIN -
Frequently Asked Questions

General Information

Requesting a Certificate

Certificate Request Processing and Privacy

Retrieving a Certificate and Making it Available for Use

Using Certificates

Certificate Duration and Renewal

Certificate Management

Relevant Navigation

Secure Login

Site Navigation

Search WHOIS