Documenting Certificate Policies and Practices

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Designing a public key infrastructure involves configuring certificates and certification authorities, developing support procedures, and establishing a system of checks and balances for administrative authority. Only by effectively addressing both the technical and administrative issues related to your public key infrastructure can you ensure that your certificate services provide the level of security that your organization requires

It is helpful to record the decisions that you make as you design your PKI by creating certificate policy statements and certificate practice statements. These documents assist you in planning and in communicating with individuals and businesses outside your organization. For many organizations and certificate uses, certificate policy statements and certificate practice statements are considered legal documents or legal disclaimers.

In general, the IT department is responsible for setting and maintaining PKI policies and practices. However, because of the legal, financial, and tactical uses of PKIs, representatives from outside the IT department, such as human resources, finance, legal, and marketing, might also be involved in establishing certificate policies.

A certificate policy is a set of rules that indicates the applicability of a certificate to a particular group of clients or applications that have common security requirements. Certificate policy statements generally include the following types of information:

  • How users are authenticated to the CA.

  • Legal issues, such as liability, that might arise if the CA is either compromised or used for something other than its intended purpose.

  • The intended purpose of the certificate.

  • Private key management requirements, such as storage on smart cards or other hardware devices.

  • Whether the private key can be exported or archived

  • Requirements for users of the certificates, including what users must do in the event that their private keys are lost or compromised.

  • Requirements for certificate enrollment and renewal.

  • Minimum length for the public key and private key pairs.


  • You can implement many of the decisions that you document in your certificate policy statements by creating a CAPolicy.inf file and copying it to the system directory of the CA before the CA is installed or renewed. For more information about CAPolicy.inf file contents and configuration, see the Windows Security Collection of the Windows ServerĀ 2003 Technical Reference (or see the Windows Security Collection on the Web at

A certificate practice statement is a statement of the practices that IT uses to manage the certificates that it issues. It describes how the certificate policy of the organization is interpreted in the context of the system architecture of the organization and its operating procedures. The IT department is responsible for preparing and maintaining the certificate practice statement.

A certificate practice statement usually includes the following types of information:

  • Positive identification of the CA (including CA name, server name, and DNS address).

  • The certificate policies that are implemented by the CA and the certificate types that are issued.

  • The policies, procedures, and processes for issuing, renewing, and recovering certificates.

  • Cryptographic algorithms, cryptographic service providers (CSPs), and key length used for the CA certificate.

  • Physical, network, and procedural security for the CA.

  • The certificate lifetime of each certificate issued by the CA.

  • Policies for revoking certificates, including conditions for certificate revocation, such as employee termination and misuse of user rights.

  • Policies for CRLs, including where to locate CRL distribution points and how often CRLs are published.

  • A policy for renewing the certificate of the CA before its expiration.

It is best to create a certificate practice statement for each CA in your public key infrastructure. The certificate practice statement associated with a CA can incorporate multiple certificate policies. Also, to consolidate information, the certificate practice statement for a subordinate CA can reference common or general information in the certificate practice statement of a parent CA.

For an outline to assist you in creating a certificate practice statement, see "Certificate Practice Statement Outline" (DSSPKI_2.doc) on the Windows ServerĀ 2003 Deployment Kit companion CD (or see "Certificate Practice Statement Outline" on the Web at


  • In some situations, such as when digital signatures are used on binding contracts, the certificate practice statement can also be considered a legal statement about the level of security that is provided and the safeguards that are being used to establish and maintain the security level.