PKI Certificate Policy Creation

Part of planning and implementing x.509 certificates for enterprise usage involves documenting the appropriate policies and procedures. Input for these documents comes from a variety of sources - the organization's technology and legal departments as well as any vendor used.


Categories of Documentation

There are numerous ways to organize this documentation and I will outline a method in this post. Documentation can be organized into three main categories, see diagram below.



Policies from higher levels feed into lower level documents creating a logical chain of information appropriate for various audiences in the company.

1. Security Policies - the usage of certificates can be documented in existing security policies; should they exist. The SP for certificates should include information such as: the current applications that will require certificates, type of situations and data requiring certificates, security services that exist for their usage, and list responsible people such as business and technical owners of the system.
2. Certificate Policies - these are specific policies as they pertain to the usage of certificates. This document will contain info related to the Certificate Authority (CA), Registration Authority (RA), and Local Registration Authority (LRA). Technical information would include key lengths, position on weak ciphers (SSL 1.0, 2.0, 3.0), key management, revocation policies, and audit requirements.
3. Certificate Practice Statement - the CPS translates the policies into practical guidance. This document contains the most detail and will include a long list of items:

• CA information - certificate name -O, OU, C. certificate DNS,
• Usage Info - how are certs issued, revoked, when do they expire, how are they recovered, who are the admins, usage of cross certificates.
• Certificate Expiration - after a cert expires what is the process or renewal.
• Revocation Lists - usage of CRL and or OCSP.
• Usage of the CA administrative tools (web site).
• Usage of the CA enrollment web site.
• Certificate installation support process and method. This can be a knowledge base that assists users of your certificate with implementation information. If a help desk is available information on how to contact them would be provided.
  

Understanding the types of documentation that should be created when implementing certificates will also assist you in the actual implementation process, as it will give you a blue print of the types of decisions that need to be made before implementation and will provide a preview to some of the issues you may encounter.

As always I hope this helped....


-npv