A certificate policy (CP) is a document which aims to state what are the different actors of a public key infrastructure (PKI), their roles and their duties. This document is published in the PKI perimeter.
When in use with X.509 certificates, a specific field can be set to include a link to the associated certificate policy. Thus, during an exchange, any relying party has an access to the assurance level associated with the certificate, and can make a decision concerning the level of trust to put in the certificate.
The reference document for writing a certificate policy is, as of December 2010[update], RFC 3647. The RFC proposes a framework for the writing of certificate policies and Certification Practice Statements (CPS). The points described below are based on the framework presented in the RFC.
The document should describe the general architecture of the related PKI, present the different actors of the PKI and any exchange based on certificates issued by this very same PKI.
An important point of the certificate policy is the description of the authorized and prohibited certificate uses. When a certificate is issued, it can be stated in its attributes what use cases it is intended to fulfill. For example, a certificate can be issued for digital signature of e-mail (aka S/MIME), encryption of data, authentication (e.g. of a Web server, as when one uses HTTPS) or further issuance of certificates (delegation of authority). Prohibited uses are specified in the same way.
Naming, identification and authentication
The document also describes how certificates names are to be chosen, and besides, the associated needs for identification and authentication. When a certification application is filled, the certification authority (or, by delegation, the registration authority) is in charge of checking the information provided by the applicant, such as his identity. This is to make sure that the CA does not take part in an identity theft.
The generation of the keys is also mentioned in a certificate policy. Users may be allowed to generate their own keys and submit them to the CA for generation of an associated certificate. The PKI may also choose to prohibit user-generated keys, and provide a separated and probably more secure way of generating the keys (for example, by using a hardware security module).
The different procedures for certificate application, issuance, acceptance, renewal, re-key, modification and revocation are a large part of the document. These procedures describe how each actor of the PKI has to act in order for the whole assurance level to be accepted.
This part describes what are the technical requirements regarding key sizes, protection of private keys (by use of key escrow) and various types of controls regarding the technical environment (computers, network).
Certificate revocation lists
Those lists are a vital part of any public key infrastructure, and as such, a specific chapter is dedicated to the description of the management associated with these lists, to ensure consistency between certificate status and the content of the list.
Audit and assessments
The PKI needs to be audited to ensure it complies with the rules stated in its documents, such as the certificate policy. The procedures used to assess such compliance are described here.
This last chapter tackles all remaining points, by example all the PKI-associated legal matters.