Define Certificate Policies and Certification Authority Practices

  • Article

You can use Microsoft Certificate Services or other certificate services to create CAs for your organization. Before deploying CAs, define the certificate policies and certificate practice statements (CPSs) for your organization. A certificate policy specifies what a certificate should be used for, and the liability assumed by the CA for this use. A certificate practice statement specifies the practices that the CA employs to manage the certificates it issues. A CPS describes how the requirements of the certificate policy are implemented in the context of the operating policies, system architecture, physical security, and computing environment of the CA organization. For example, a certificate policy might specify that the private key cannot be exported, so the CPS describes how this is accomplished by the PKI that you deploy.

Certificate Policies

Certificate policies can include the following types of information:

  • How users will be authenticated to the CA

  • Legal issues, such as liability, that might arise if the CA becomes compromised or is used for the wrong purpose

  • What purposes the certificate can be used for

  • Private key management requirements, such as requiring storage on smart cards or other hardware devices

  • Whether the private key can be exported

  • Requirements for users of the certificates, including what users must do in case their private keys are lost or compromised

  • Requirements for certificate enrollment and renewal

  • Certificate lifetime

  • Cryptographic algorithms to be used

  • Minimum length of the public key and private key pairs

Certificate Practices Statements (CPS)

A CPS for a certification authority can meet the requirements of multiple certificate policies. Each CPS contains information specific to that CA. However, the CPS for a subordinate CA can refer to the CPS of a parent CA for general or common information. A CPS can include the following types of information:

  • Positive identification of the CA (including CA name, server name, and DNS address)

  • What certificate policies are implemented by the CA and what certificate types are issued

  • Policies, procedures, and processes for issuing and renewing certificates

  • Cryptographic algorithms, CSP, and key length used for the CA certificate

  • Lifetime of the CA certificate

  • Physical, network, and procedural security of the CA

  • The certificate lifetime of each certificate issued by the CA

  • Policies for revoking certificates, including conditions for certificate revocation such as employee termination and misuse of security privileges

  • Policies for certificate revocation lists (CRLs), including CRL distribution points and publishing intervals

  • Policy for renewing the CA's certificate before its expiration