African Community Fund
Certificate Authority Directive
Directive No.: ACF-DIR-002 | Effective Date: 10/11/2025 | Version: 1.0
PREAMBLE
WHEREAS the African Community Fund (the "Fund") operates as an international institution with full juridical personality under Article 2.1 of its Charter;
WHEREAS Article 10.2 mandates the maintenance of a secure Digital Share Registry and Article 13.5 authorizes the Chair to adopt directives to implement the Fund's mission;
WHEREAS secure, sovereign, and legally recognized digital identity is essential for Member authentication, transaction integrity, and the operation of the Programmatic API;
WHEREAS Chapter V of the Charter grants immunities and privileges necessary to protect the Fund's technical infrastructure from external interference;
NOW THEREFORE, the Chair hereby issues this Certificate Authority Directive to establish the governance, technical standards, and operational protocols for the ACF Sovereign Certificate Authority.
ARTICLE 1: ESTABLISHMENT AND STATUS
1.1 Sovereign Certificate Authority: The Fund shall establish and operate a sovereign Certificate Authority (the "ACF CA") to issue, manage, and revoke digital certificates for Members, officers, and Fund systems.
1.2 Legal Standing: Certificates issued by the ACF CA shall be recognized as legally binding digital signatures under the Fund's Charter and applicable international frameworks (e.g., eIDAS, UNCITRAL Model Law on Electronic Signatures).
1.3 Immunities: The infrastructure, keys, and operations of the ACF CA are protected under Chapter V (Articles 18-22) of the Charter, including immunity from seizure, confiscation, or restrictive regulation.
ARTICLE 2: CERTIFICATE HIERARCHY AND VALIDITY
2.1 Root Certificate Authority: (a) The ACF Root CA shall serve as the trust anchor for the Fund's ecosystem. (b) Validity Period: The Root CA certificate shall have a validity period of twenty (20) years from the date of issuance. (c) Renewal of the Root CA shall require approval by the Executive Committee and generation of a new key pair prior to expiration.
2.2 Intermediate Certificate Authorities: (a) The ACF CA may issue Intermediate CA certificates for specific purposes (e.g., Member Identity, System-to-System, Code Signing). (b) Intermediate CA validity shall not exceed ten (10) years and must not exceed the validity of the Root CA.
2.3 End-Entity Certificates: (a) Certificates issued to Members, officers, or devices shall have a maximum validity of three (3) years. (b) Renewal requires re-verification of identity and compliance status.
ARTICLE 3: TECHNICAL SECURITY STANDARDS
3.1 Cryptographic Algorithms: (a) Root and Intermediate CA keys shall use RSA 4096-bit or ECC P-384 or higher. (b) End-Entity certificates shall use RSA 2048-bit minimum or ECC P-256 minimum. (c) Hashing algorithms shall be SHA-256 or SHA-384 minimum.
3.2 Key Management: (a) Private keys for the Root and Intermediate CAs shall be generated and stored in FIPS 140-2 Level 3 or higher Hardware Security Modules (HSM). (b) Key generation shall require multi-person control (M-of-N) authentication. (c) Private keys shall never be exported from the HSM in plaintext form.
3.3 Revocation Mechanisms: (a) The ACF CA shall maintain Certificate Revocation Lists (CRL) and Online Certificate Status Protocol (OCSP) responders. (b) Revocation information shall be updated at least every twenty-four (24) hours. (c) Compromised certificates shall be revoked immediately upon confirmation of breach.
ARTICLE 4: IDENTITY VERIFICATION AND ISSUANCE
4.1 Member Verification: (a) Class A (Governance) and Class B (Non-Governance) Members shall undergo identity verification consistent with Article 7.4 (KYC Declaration) prior to certificate issuance. (b) Authorized Signatories shall be verified against official documentation provided during membership onboarding.
4.2 Certificate Usage: (a) Certificates shall be used for authentication to the Digital Share Registry (Article 10.2). (b) Certificates shall be used for signing legally significant documents (e.g., Subscription Agreements, Withdrawal Notices). (c) Certificates shall be used for securing API communications (mTLS) under the Secure Mail Directive (ACF-DIR-001).
4.3 Denial and Revocation: (a) The Executive Committee may deny or revoke certificates if a Member is non-compliant with Charter obligations. (b) Revoked certificates shall be immediately invalidated across all Fund systems.
ARTICLE 5: OPERATIONS AND AUDIT
5.1 Operational Security: (a) The ACF CA operations shall comply with WebPKI Baseline Requirements and ETSI EN 319 411 standards. (b) Access to CA signing systems shall be logged and auditable.
5.2 Audit: (a) The ACF CA shall undergo an annual external audit by auditors of recognized international standing (Article 23.2). (b) Audit reports shall be submitted to the Executive Committee and summarized for the Voting Meeting.
5.3 Business Continuity: (a) The Fund shall maintain disaster recovery sites for CA operations. (b) Key backup and recovery procedures shall be tested annually.
ARTICLE 6: LIABILITY AND DISPUTE RESOLUTION
6.1 Limitation of Liability: The Fund's liability regarding certificate issuance is limited to direct damages proven to result from Fund negligence. The Fund is not liable for consequential damages arising from Member misuse or third-party reliance.
6.2 Immunity Assertion: Any legal action regarding the ACF CA is subject to the immunities outlined in Chapter V of the Charter.
6.3 Dispute Resolution: Disputes regarding certificate validity, revocation, or usage shall be resolved under Article 27 (Submission to Executive Committee and Voting Meeting), not domestic courts.
ARTICLE 7: AMENDMENTS AND ENTRY INTO FORCE
7.1 Amendments: This Directive may be amended by the Chair upon recommendation of the Executive Committee.
7.2 Entry into Force: This Directive enters into force upon signature by the Chair and publication on the Fund's official website.
7.3 Languages: In accordance with Article 28.1, this Directive is authentic in English, French, Portuguese, and Arabic. In case of discrepancy, the English text shall prevail for technical specifications.
SCHEDULE A: ROOT CA SPECIFICATIONS
| Parameter | Value |
|---|---|
| Common Name | African Community Fund Root CA |
| Validity | 20 Years (7,300 Days) |
| Key Algorithm | RSA 4096 / ECC P-384 |
| Signature Algorithm | SHA-384 with RSA / ECDSA |
| Key Usage | Key Cert Sign, CRL Sign |
| Basic Constraints | CA:TRUE, Path Length: 1 |
| Storage | FIPS 140-2 Level 3 HSM |
SCHEDULE B: CONTACTS AND SUPPORT
| Function | Contact |
|---|---|
| CA Operations | [email protected] |
| Technical Support | [email protected] |
| Security Incidents | [email protected] |
Adopted by the Chair of the African Community Fund on 10/11/2025.
Shared Value, Shared Prosperity.