You are here: Home > Participate > Join a Discussion > Mailman Archives

[certtest] upgraded

  • From: Tim Bruijnzeels tim@localhost
  • Date: Wed, 2 Dec 2009 18:09:22 +0100

Dear colleagues,

The certification portal at has been upgraded today. This release includes two major security improvements:

1- The RIPE NCC (test) trust anchor is now handled by a completely separate (offline) system

We have updated the validation tool to support the new type of trust anchor. The readme file in the download link on the welcome page has more details on how to use the validator for these trust anchors.

2- All persistent keys are now handled by Hardware Security Modules (HSMs)

Because of this fundamental change in key pair management it was not possible to migrate your current test CAs. So please log in again to re-activate your CAs.

The reason for this is that previously software generated keys were used and stored in a database. This was never intended as the final solution but enabled us to already develop the user interface and functional components of the system -- such as periodic publication, and member managed CAs with ROAs. The new system uses HSMs that protect the private keys (one can use them though the HSM device, but never get the private key out). As such the current system introduces major security improvements. Functionality wise you will not see much of a difference as a test user of the system though.

Apart from the security improvements we have also deployed the certtest application to new hardware. This allows us to test the infrastructure we plan to use for the real production release that is planned in 2010. 

We invite you once again to log in and give your feedback. Feel free to discuss any issues on this list as well. We plan to launch a new effort to get more people to look at the test deployment starting in January 2010. This way we hope to get more people involved and more discussion going in time for the next major development stint which is planned from Q2 2010 onwards.

The RIPE NCC certification team.

Known issues:
- An ugly error message shows when you try to access certification but do not have a LIR portal X.509 PKI client certificate. Go to the LIR portal and generate your PKI certificate to solve this.
- Single sign-on is not yet fully integrated with the LIR portal.
- Data entered during the beta test will not be migrated to the full production release.