Certificate Management Policy

Version 1.0 | Effective Date: [DD/MM/YYYY]

1. Purpose and Scope

Description
This explains what types of digital certificates the policy covers and why we align with specific security standards. Compliance helps prevent data breaches and meets legal requirements.

Applies to all X.509 certificates including:
- TLS/SSL server/client certificates
- Code signing certificates
- S/MIME email certificates
- IoT device authentication certificates

2. Cryptographic Standards

2.1 Key Requirements

Description
These algorithm choices balance security with performance. Larger key sizes protect against brute-force attacks while modern algorithms improve efficiency.

Asymmetric Algorithms:
- RSA ≥ 3072 bits
- ECDSA ≥ secp384r1
- EdDSA (Ed448)

Hash Algorithms:
- SHA-384 minimum
- SHA3-512 for high-security systems

3. Lifecycle Management

3.1 Issuance Process

Description
Strict controls prevent fake certificates. Hardware security modules (HSMs) ensure keys can't be copied, while domain validation confirms legitimate ownership.

  • CSR generated using FIPS 140-3 Level 2 validated HSM
  • Domain validation per CA/B Forum Baseline Requirements
  • Private key stored in secure cryptographic storage

3.2 Renewal and Revocation

Description
Automatic renewal prevents service outages from expired certificates. Immediate revocation stops compromised certificates being misused.

Renewal Threshold:
30 days before expiration

Revocation Conditions:
- Private key compromise
- Algorithm deprecation
- Organisational name changes

4. Operational Controls

4.1 Inventory Management

Description
Complete visibility prevents "lost" certificates that could expire unnoticed or be used by attackers. Automated discovery catches unauthorised certificates.

Maintain central registry with:
- Certificate fingerprint (SHA-256)
- Issuing CA
- Associated asset
- Expiration date
- Automated discovery scans weekly

5. Roles and Responsibilities

5.1 Certificate Authority Team

Description
Physical security of root keys prevents catastrophic breaches. Clear documentation ensures consistent operations.

  • Maintain offline root CA in secure facility
  • Publish Certificate Practice Statement (CPS)

5.2 System Administrators

Description
Certificate pinning prevents man-in-the-middle attacks by only trusting specific certificates. Active monitoring detects suspicious activity.

  • Enforce certificate pinning for critical services
  • Monitor for unauthorised certificates

6. Revision History

Description
Regular updates ensure we adapt to new threats and technological changes in cryptography.

This document shall be reviewed annually or following significant cryptographic standard updates.

References

Standard/Guideline Reference Document Official Link
NCSC Certificate Management Guidance https://www.ncsc.gov.uk/guidance/certificate-management
NIST SP 800-57 Part 1 Rev. 5 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf
NIST SP 1800-16 Securing Web Transactions https://www.nccoe.nist.gov/projects/building-blocks/pki
NIST SP 800-131A Rev. 2 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf
NIST FIPS 140-2 https://csrc.nist.gov/pubs/fips/140-2/final
ISO 27001:2022 https://www.iso.org/standard/27001
PCI SSC PCI-DSS v4.0 https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0.pdf
EU GDPR Article 33 https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32016R0679
AICPA WebTrust PKI Criteria https://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/webtrustpki
CA/Browser Forum Baseline Requirements https://cabforum.org/baseline-requirements-documents/
IETF RFC 3161 (Timestamping) https://datatracker.ietf.org/doc/html/rfc3161
IETF RFC 9162 (CT Logs) https://datatracker.ietf.org/doc/html/rfc9162

Downloads

Certificate Management Policy in Word format. Use as a base and modify for your organisation.

I don't capture anything or share, sell, or anything else to third parties.