Are your organization’s certificate policies updated?

Read time: 10 minutes

Certificate Policy (CP)

A certificate policy describes the measures taken to validate a certificate’s subject prior to certificate issuance and the intended purposes of the certificate. For many organizations, the certificate-issuance policy determines whether the presented certificate will be trusted. The CP also lets users and PKI maintainers know how to apply for a certificate, the naming standards for certificates, and more. The Certificate Practice Statement (CPS) follows the standards set forth in the CP.

Contents of a Certificate Policy

A certificate policy should include the following information:

1. The method through which user’s identity is validated during certificate enrolment

   The procedure of identifying a genuine user must be defined. It may be via an account and password combination or other different forms of identification which requestors/users must present for validation.

2. The certificate’s intended purpose

   The purpose for which certificate has been requested must be mentioned clearly in the policy. For e.g. Is the certificate used for authentication on the network or for signing purchase orders? If the certificate is used for signing purchase orders, is there a maximum value allowed? Such questions should be addressed in the certificate policy.

3. The type of device in which the certificate’s private key is stored

   The private key stored on the computer’s local disk in the user’s profile, or on a hardware device such as a smart card. Other measures, such as implementing strong private key protection or requiring a password to access the private key, can be included in this information.

4. The subject’s responsibility for the private key associated with the certificate if the private key is compromised or lost

   Is the user responsible for any actions performed using the acquired private key if the private key is compromised or a backup of the private key is lost? This decision can lead to preventing the archival or export of the private key associated with the certificate.

5. Revocation policies, procedures, and responsibilities

   It consists of the actions or events which will lead to the revocation of a certificate, how the revocation process will be initiated, and who will perform the actual revocation procedure.

Certificate Practice Statement (CPS)

A certification practice statement (CPS) defines the measures taken to secure CA operations and the management of CA-issued certificates. You can consider a CPS to be an agreement between the organization managing the CA and the people relying on the certificates issued by the CA. While the CP tells a user or maintainer what to do, the CPS tells them how to do it.CA’s CPS is a public document that should be readily available to all the participants so that a relying party can determine whether the certificates issued by that CA meet its security requirements or not. The CPS can contain the following information:

• How the CA will enforce the measures necessary to validate the certificate’s subject, as required by the certificate policy.
• The liability of the organization if an act of fraud is performed against the service protected by the certificate and the fault is found to be associated with the certificate.
• The circumstances under which a certificate can be revoked before its expiration.

RFC 3647 recommends a standard CPS format which includes the following nine sections:

1. Introduction

   The introduction of a CPS provides an overview of the CA, as well as the types of users, computers, network devices, or services that will receive certificates. It also includes information on certificate usage.

2. Publication and Repository Responsibilities

   This section contains details regarding who operates the components of the public key infrastructure and the responsibilities for publishing the CP or CPS.

3. Identification and Authentication (I&A)

   This section describes the name formats assigned and used in certificates issued by the CA. It also describes the certificate policy and assurance levels implemented at the CA and details identification procedures for.

4. Initial registration for a certificate

   The measures taken to validate the identity of the certificate requestor.

5. Renewal of a certificate

   Are the measures used for initial registration repeated when a certificate is renewed? In some cases, possession of an existing certificate and private key is sufficient proof of identity to receive a new certificate at renewal time.

6. Requests for revocation

   When a certificate must be revoked, what measures will be taken to ensure that the requestor is authorized to request revocation of a certificate?

7. Certificate Life-Cycle Operational Requirements

   This section defines the operating procedures for CA management, issuance of certificates, and management of issued certificates.

8. Facility, Management, and Operational Controls

   It describes physical, procedural, and personnel controls implemented at the CA for key generation, subject authentication, certificate issuance, certificate revocation, auditing, and archiving. These controls can range from limiting which personnel can physically access the CA to ensuring that an employee is assigned only a single PKI management role

9. Technical Security Controls

   This contains the security measures taken by the CA to protect its cryptographic keys and activation data.

10. Certificate, CRL, and OCSP Profiles

    It is used to specify three types of information:

    • Information about the types of certificates issued by the CA For example, are CA issued certificates for user authentication, EFS, or code signing?
    • Information about CRL contents This should provide information about the version numbers supported for CRLs and what extensions are populated in the CRL objects.
    • OCSP profiles This section should provide information on what versions of Online Certificate Status Protocol (OCSP) are used (for example, what RFCs are supported by the OCSP implementation) and what OCSP extensions are populated in issued certificates.

11. Compliance Audit and Other Assessment

    The section details what is checked during a compliance audit, how often the compliance audit must be performed, who will perform the audit (is the audit performed by internal team or by a third party?), what actions must be taken if the CA fails the audit, and who is allowed to inspect the final audit report.

12. Other Business and Legal Matters

    It specifies general business and legal matters regarding the CP and CPS. The business matters include fees for services and the financial responsibilities of the participants in the PKI. The legal matters include privacy of personal information recorded by the PKI, intellectual property rights, warranties, disclaimers, limitations on liabilities, and indemnities.

Conclusion

The Certificate Policy is a document which defines standards of the PKI, and the Certificate Practice Statement sets forth the procedures used in the PKI.