Skip to main content

CBJ PKI and Certificate Management Integration

Step-by-step guide for integrating with the Central Bank of Jordan’s PKI system, covering certificate issuance, installation, and API usage.

Updated over 8 months ago

1. Introduction

This document outlines the technical and procedural steps required to integrate Virifi's Solution Proposal with the Central Bank of Jordan (CBJ) Public Key Infrastructure (PKI) system. It ensures that all digital signature operations comply with CBJ's regulatory, trust, and certificate management requirements.

2. CBJ PKI System Overview

CBJ’s PKI infrastructure provides a secure, interoperable trust framework supporting certificate-based authentication, digital signatures, and timestamping.

Key components include:

  • Root and Issuer Certification Authorities (CAs)

  • Certificate Enrollment and Status APIs

  • OCSP and CRL services for revocation checking

  • Central Timestamping Authority (TSA)

Integration with CBJ PKI enables:

  • Secure certificate issuance and management

  • Trusted digital signing and validation workflows

  • Full compliance with CBJ’s digital signature framework

3. Integration Prerequisites

To integrate with CBJ PKI, the following must be in place:

  • Install .NET 6.0 Desktop Runtime for certificate request tooling.

  • Obtain and install the CBJ CA certificate chain (P7B format).

  • Set up mutual TLS certificates issued by CBJ for authenticating API access.

  • Use CBJ’s Certificate Request Tool to generate and submit CSRs.

  • Configure systems to trust the CBJ Root CA and Intermediate CAs.

4. Certificate Lifecycle Management

4.1 CSR Generation and Submission

  • Generate CSR (Certificate Signing Request) with the Certificate Request Tool.

  • Submit CSR to CBJ Certificate Services API.

4.2 Certificate Issuance and Installation

  • Retrieve issued certificates.

  • Merge certificates with corresponding private keys.

  • Install and configure certificates in secure stores (HSM, device keystore, etc.).

4.3 Certificate Profiles

CBJ defines specific certificate templates:

  • Signing Certificates (Advanced, Qualified)

  • Authentication Certificates (for API clients)

  • Enrollment Agent Certificates

Certificate profiles are referenced via CBJ's API templates catalog.

5. CBJ Internal API Access and Usage

The CBJ Internal API suite facilitates:

Certificate Authority Queries:

GET /api/CAs

Certificate Template Management:

GET /api/CAs/{id}/certificatetemplates

Certificate Request Submission:

POST /api/CertificateRequests

Certificate Status Updates:

PATCH /api/Certificates/{id}/status

All API interactions require:

  • HTTPS/TLS secure communication

  • Mutual TLS authentication (using CBJ-issued certificates)

  • JSON request/response payloads

Related Articles
What is the CBJ Digital Signature
Software Dependencies (e.g., .NET, Java, Docker, etc.)
CBJ PKI Trust Service and Certificate Policies
API Documentation Access: CBJ API and HSM API
User Journey: End-to-End Digital Signature Flow
Did this answer your question?