Skip to main content

CBJ PKI Trust Service and Certificate Policies

Overview of CBJ’s PKI trust architecture, certificate issuance, and how Virifi’s Proposal aligns with national policies and trust anchors.

Updated over 8 months ago

Introduction to CBJ PKI Trust Services

The Central Bank of Jordan (CBJ) has established a centralized Public Key Infrastructure (PKI) to govern digital trust across financial institutions. This PKI forms the legal and technical foundation for secure digital signatures, encryption, and certificate-based authentication within CBJ’s regulated ecosystem.

CBJ’s Trust Services include:

  • A Root Certification Authority (Root CA) managed by CBJ

  • One or more Policy and Issuer CAs

  • A central directory and OCSP/CRL publishing

  • A central timestamping authority (TSA) for trusted time evidence

These components ensure non-repudiation, authenticity, and integrity for all digitally signed financial transactions.

Certificate Policies (CP) & Certification Practice Statements (CPS)

CBJ’s PKI follows structured Certificate Policies and Certification Practice Statements, which define:

  • Types of certificates issued (authentication, signing, timestamping)

  • Validation and verification procedures

  • Trust levels and cryptographic requirements

  • Identity proofing and KYC procedures

These policies are critical for ensuring all participants operate under a common security baseline.

Trust Anchors and Configuration

Virifi’s Solution Proposal aligns with CBJ’s trust anchors and CA hierarchy by:

  • Supporting certificate chain validation to CBJ Root CA

  • Verifying OCSP and CRL responses from CBJ Directory Services

  • Integrating with the published CBJ TSA endpoint for time-based signature validation

The platform validates the full certificate path and honors CBJ-specific object identifiers (OIDs) tied to CP/CPS profiles.

Certificate Profiles Supported

CBJ defines several certificate profiles based on ETSI/NIST alignment. Virifi’s Solution Proposal accommodates:

  • Signing certificates (Qualified and Advanced levels)

  • Authentication certificates for API clients and users

  • Certificates for Enrollment Agents

  • Certificate templates as per /api/CAs/{Id}/certificatetemplates (CBJ API)

Issuance & Validation Flow

The CBJ PKI certificate lifecycle includes:

  1. CSR generation using provided tooling

  2. Delivery to CBJ for issuance

  3. Installation and merging of private keys

  4. Validation via CBJ’s OCSP or CRL

  5. Verification of validity, revocation, and usage constraints

Virifi’s Solution Proposal automates and supports this flow via:

  • Integration with CBJ APIs (/api/CertificateRequests, /api/Certificates)

  • SDK-level support for dynamic certificate validation

  • Compatibility with FIPS 140-2 certified HSMs

References & Policies

Attachment icon
PKI Operational Framework.pdf
Attachment icon
FI Integration Guide v1.1.pdf
Attachment icon
Initial Procedures.pdf
Related Articles
What is the CBJ Digital Signature
Signature Levels Explained: B, B-T, LT, LTA
Software Dependencies (e.g., .NET, Java, Docker, etc.)
CBJ PKI and Certificate Management Integration
Architecture Overview
Did this answer your question?