Professional Documents
Culture Documents
2012 E.C.
Ethiopian PKI X.509 Certificate Policy
Document Control
Document Name Ethiopian PKI X.509 Certificate Policy
Status Release
Version 1.0
Last Update
Document Owner Information Network Security Agency, INSA
Ethiopian PKI X.509 Certificate Policy
Table of Contents
1. INTRODUCTION ..................................................................................................................................... 1
1.1. Overview ............................................................................................................................................ 1
1.2. Document Name and Identification .................................................................................................. 1
1.3. PKI Participants .................................................................................................................................. 2
1.3.1. Certification Authority (CA)................................................................................................ 2
1.3.1.1. Two-Level CA Hierarchy ..................................................................................................... 2
1.3.1.2. Root Certificate Authority of Ethiopia (INSA) .................................................................... 3
1.3.1.3. Sub-CAs .............................................................................................................................. 4
1.3.2. Registration Authority (RA) ................................................................................................ 4
1.3.3. Local Registration Authority (LRA) ..................................................................................... 4
1.3.4. Subscribers ......................................................................................................................... 5
1.3.5. Relying Parties .................................................................................................................... 5
1.3.6. Other Participants .............................................................................................................. 5
1.3.6.1. Repository Service Providers ............................................................................................. 5
1.3.6.2. Timestamp Service Providers ............................................................................................. 6
1.4. Certificate Usage ............................................................................................................................... 6
1.4.1. Appropriate Certificate Uses .............................................................................................. 6
1.4.1.1. Certificates Issued to Individuals ....................................................................................... 6
1.4.1.2. Certificates Issued to Organizations .................................................................................. 7
1.4.1.3. Assurance Levels ................................................................................................................ 8
1.4.2. Prohibited Certificate Uses ................................................................................................ 9
1.5. Policy Administration......................................................................................................................... 9
1.5.1. Organization Administering the Document ....................................................................... 9
1.5.2. Contact Person ................................................................................................................... 9
1.5.3. Person Determining Certification Practice Statement Suitability for the Policy ............... 9
1.5.4. CP/CPS Approval Procedures ............................................................................................. 9
1.6. Definitions and Acronyms ............................................................................................................... 10
1.6.1. Definitions ........................................................................................................................ 10
1.6.2. Acronyms/Abbreviations ................................................................................................. 14
2. PUBLICATION AND REPOSITORY RESPONSIBILITIES ............................................................................ 16
2.1. Repositories ..................................................................................................................................... 16
i
Ethiopian PKI X.509 Certificate Policy
x
Ethiopian PKI X.509 Certificate Policy
1. INTRODUCTION
1.1. Overview
This Certificate Policy (CP) defines certificate policies to facilitate interoperability among
subscribers and relying parties for e-government, e-commerce and other services. This CP, the
related CPS and Certificate Authorities (CAs) are governed by Information Network Security
Agency (INSA). Secure e-government and e-commerce in Ethiopia is governed by the Electronic
Signature Proclamation No. 1072/2018.
The Ethiopia PKI is a hierarchical PKI with the trust chain starting from the Root Certificate
Authority (Root CA) of Ethiopia. Below the Root CA, there are Subordinate Certificate
Authorities (Sub-CAs) licensed by the Root CA to issue digital certificates under the Electronic
Signature Proclamation No. 1072/2018. Sub-CAs can be private sector companies, government
organizations, public sector companies and Non-Government Organizations (NGOs). Below the
Sub-CAs, there are end users.
If applicable, the certificate policies apply to all components of the Ethiopian PKI. Ethiopian PKI
components include but are not limited to Root CA, Sub-CAs, Registration Authorities (RAs),
Local Registration Authorities (LRs), subscribers, Relying Parties, and Repositories.
Any use or reference of this CP outside the scope of influence of the Ethiopia PKI is completely
at the using party‟s risk.
This CP is consistent with the Internet Engineering Task Force (IETF) Public Key Infrastructure
X.509 (IETF PKIX) RFC 3647, Internet X.509 Public Key Infrastructure Certificate Policy and
Certification Practices Framework.
1.2. Document Name and Identification
This document is the CA Certificate Policy followed by the Root CA and its Sub-CAs and will be
approved for publication by the House of Peoples Representatives/Council of Ministers. This CP
document will be disclosed to the public at the website https://www.insa.gv.et.
This document is entitled” Ethiopian PKI X.509 Certificate Policy”. It is identified by Object
Identifier (OID) 2.16.231.100.1. The meanings of the components of the OID are given in the
table below.
1
Ethiopian PKI X.509 Certificate Policy
2 joint-iso-itu-t
16 Country
231 et
100 This is a place holder for OID of Root CA
1 Ethiopian PKI X.509 Certificate Policy
1.3. PKI Participants
CA is a certificate authority that issues digital certificates in accordance with this CP. As a CA,
CA performs functions associated with Public Key operations, including receiving certificate
requests, issuing, revoking and renewing a digital certificate, and maintaining, issuing, and
publishing CRLs or OCSP responses.
1.3.1. Certification Authority (CA)
1.3.1.1. Two-Level CA Hierarchy
The Ethiopian PKI consists of a two-level CA hierarchy; the top level is the Root CA, the highest
level of authority that manages the Ethiopian PKI. The Ethiopian PKI is formed using additional
Sub-CAs as depicted in the figure below.
2
Ethiopian PKI X.509 Certificate Policy
3
Ethiopian PKI X.509 Certificate Policy
• doing compliance audit to make sure that Sub-CAs are working in conformance to this
CP;
• drafting and approving of CPS for this CP;
1.3.1.3. Sub-CAs
Sub-CAs are legal persons duly authorized or recognized to issue certificates and related services.
A Sub-CA is one that is licensed by the Root CA as per Electronic Signature Proclamation No.
1072/2018. Sub-CAs shall:
• operate and manage the Sub-CA system and its functions in accordance with this CP;
• issue and manage certificates;
• send notification of issuance, revocation or renewal of certificates;
• publish issued certificates and revocation information; and
• handle revocation request regarding certificate it issued;
4
Ethiopian PKI X.509 Certificate Policy
1.3.4. Subscribers
A Subscriber is the entity (the user to whom, or device to which, a certificate is issued) whose
Distinguished Name (DN) appears as the subject in a certificate, and who asserts that it uses the
key and certificate in accordance with this policy. A subscriber means a person who is the subject
named in a certificate, accepts the authenticity of the content the certificate and owns a private
key which corresponds to a public key listed in that certificate.
1.3.5. Relying Parties
A Relying Party means a person who acts relying on the information contained in a certificate or
in the authenticity of digital signature. A Relying Party uses a Subscriber‟s certificate to:
• identify the identity and status of an individual;
• be sure of the integrity of a digitally signed message;
• know the identity of the creator of a message;
• make confidential communications with the Subscriber;
• rely only on a recommended reliance limit and transaction type expressly stated in the
certificate;
The Relying Party relies on the validity of the binding between the Subscriber‟s name and public
key. A Relying Party may use information in the certificate (such as Certificate Policy Identifiers)
to determine the suitability of the certificate for a particular use. The Relying Party is responsible
for deciding whether or how to check the validity of the certificate by checking the appropriate
certificate status information.
For this Certificate Policy, the relying party may be any Entity that wishes to validate the binding
of a public key to the name of a federal employee, contractor, other affiliated personnel, private
organization representative, a legal person or device.
1.3.6. Other Participants
1.3.6.1. Repository Service Providers
Repository means a system for disclosing, storing and retrieving certificates or other information
relating to certificates. If anyone wants to render a repository service for certificates issued by
Sub-CAs, one has to apply to the Root CA first. To know all the necessary procedures and
requirements of application, the obligations and accountabilities of Repository Service Providers
refer to the Electronic Signature Regulation.
5
Ethiopian PKI X.509 Certificate Policy
Certificate
Assurance Level Usage
Class
Low Medium High Signing Encryption Client
Assurance Assurance Assurance Authentication
Class 1 √ √ √ √
Certificates
6
Ethiopian PKI X.509 Certificate Policy
Class 2 √ √ √ √
Certificates
Class 3 √ √ √ √
Certificates
1.4.1.2. Certificates Issued to Organizations
Organizational Certificates are issued to organizations after authentication that the Organization
legally exists and that other Organization attributes included in the certificate (excluding no
verified subscriber information) are authenticated e.g. ownership of an Internet or e-mail domain.
It is not the intent of this CP to limit the types of usages for Organizational Certificates. While the
most common usages are included in the table below, an Organizational Certificate may be used
for other purposes, provided that a Relying Party is able to reasonably rely on that certificate and
the usage is not otherwise prohibited by law, by this CP, by any CPS under which the certificate
has been issued and any agreements with Subscribers.
Certificate
Assurance Level Usage
Class
Medium High Code/Content Secure Authentication
Signing TLS/SSL Signing and
Sessions Encryption
Class 3 √ √ √ √ √
Certificate
Class 3 SSL √ √ √ √ √
Certificates
Class 3 Code √ √ √ √ √
Signing
Certificates
7
Ethiopian PKI X.509 Certificate Policy
8
Ethiopian PKI X.509 Certificate Policy
1.5.3. Person Determining Certification Practice Statement Suitability for the Policy
Certification Practices Statements, derived from this CP, must conform to the corresponding
requirements of this Certificate Policy. The Root CA shall determine the suitability of any CPS to
this policy. In each case, the Root CA shall base the determination of suitability on a compliance
audit results and recommendations. See Section 8 for further details.
1.5.4. CP/CPS Approval Procedures
Approval of the CP/CPS and subsequent amendments shall be made by INSA. Amendments shall
either be in the form of a document containing an amended form of the CP/CPS or an update
9
Ethiopian PKI X.509 Certificate Policy
notice. Updates shall supersede any designated or conflicting provisions of the referenced version
of the CP/CPS.
1.6.1. Definitions
Applicant: The natural person or Legal Entity that applies for (or seeks renewal of) a Certificate.
Once the Certificate issues, the Applicant is referred to as the Subscriber. For Certificates issued
to devices, the Applicant is the entity that controls or operates the device named in the Certificate,
even if the device is sending the actual certificate request.
Audit Period: it is the period between the first day (start) and the last day of operations (end)
covered by the auditors in their engagement. The coverage rules and maximum length of audit
periods are defined in Section 8.1.
Audit Report: means a report from a Qualified Auditor stating the Qualified Auditor‟s opinion
on whether an entity‟s processes and controls comply with the mandatory provisions of the
Requirements.
Certificate: means an electronic data which links public key to the person named in the
certificate and confirms the real identity of that person.
Certificate Data: Certificate requests and data related thereto (whether obtained from the
Applicant or otherwise) in the Sub-CA‟s possession or control or to which the Sub-CA has
access.
Certificate Management Process: Processes, practices, and procedures associated with the use
of keys, software, and hardware, by which the Sub-CA verifies Certificate Data, issues
Certificates, maintains a Repository, and revokes Certificates.
Certificate Policy: A set of rules that indicates the applicability of a named Certificate to a
particular community and/or PKI implementation with common security requirements.
10
Ethiopian PKI X.509 Certificate Policy
Certificate Provider: a legal person duly authorized or recognized to issue certificate and
related service.
Certificate Revocation List: A regularly updated time-stamped list of revoked Certificates that is
created and digitally signed by the Sub-CA that issued the Certificates.
Certification Practice Statement: One of several documents forming the governance framework
in which Certificates are created, issued, managed, and used.
Domain Name: The label assigned to a node in the Domain Name System. Domain Namespace:
The set of all possible Domain Names those are subordinate to a single node in the Domain Name
System.
Expiry Date: The “Not After” date in a Certificate that defines the end of a Certificate‟s validity
period.
Fully-Qualified Domain Name: A Domain Name that includes the labels of all superior nodes in
the Internet Domain Name System.
Key Compromise: A Private Key is said to be compromised if its value has been disclosed to an
unauthorized person, an unauthorized person has had access to it, or there exists a practical
technique by which an unauthorized person may discover its value.
Key Generation Script: A documented plan of procedures for the generation of a Sub-CA Key
Pair.
Key Pair: means a private key and its corresponding public key in an asymmetric cryptosystem.
11
Ethiopian PKI X.509 Certificate Policy
OCSP Responder: An online server operated under the authority of the Sub-CA and connected
to its Repository for processing Certificate status requests. See also, Online Certificate Status
Protocol.
Private Key: The key of a Key Pair that is kept secret by the holder of the Key Pair, and that is
used to create Digital Signatures and/or to decrypt electronic records or files that were encrypted
with the corresponding Public Key.
Public Key: The key of a Key Pair that may be publicly disclosed by the holder of the
corresponding Private Key and that is used by a Relying Party to verify Digital Signatures created
with the holder's corresponding Private Key and/or to encrypt messages so that they can be
decrypted only with the holder's corresponding Private Key.
Public Key Infrastructure: A set of hardware, software, people, procedures, rules, policies, and
obligations used to facilitate the trustworthy creation, issuance, management, and use of
Certificates and keys based on Public Key Cryptography.
Qualified Auditor: means a natural person or Legal Entity that meets the requirements of Section
8.3.
Registration Authority (RA): Any Legal Entity that is responsible for identification and
authentication of subjects of Certificates, but is not a CA, and hence does not sign or issue
Certificates. An RA may assist in the certificate application process or revocation process or both.
When “RA” is used as an adjective to describe a role or function, it does not necessarily imply a
separate body, but can be part of the Sub-CA.
12
Ethiopian PKI X.509 Certificate Policy
Relying Party: means a person who acts relying on the information contained in a certificate or
in the authenticity of digital signature.
Root CA: The top-level Certification Authority whose Root Certificate is distributed by
Application Software Suppliers and that issues Sub-CA Certificates.
Root Certificate: The self-signed Certificate issued by the Root CA to identify itself and to
facilitate verification of Certificates issued to its Sub-CA s.
Subject: The natural person, device, system, unit, or Legal Entity identified in a Certificate as the
Subject. The Subject is either the Subscriber or a device under the control and operation of the
Subscriber.
Subject Identity Information: Information that identifies the Certificate Subject. Subject
Identity Information does not include a domain name listed in the subjectAltName extension or
the Subject commonName field.
Subscriber: means a person who is the subject named in a certificate, accepts the authenticity of
the content the certificate and owns a private key which corresponds to a public key listed in that
certificate.
Subscriber Agreement: An agreement between the Sub-CA and the Applicant/Subscriber that
specifies the rights and responsibilities of the parties.
Terms of Use: Provisions regarding the safekeeping and acceptable uses of a Certificate issued in
accordance with these Requirements when the Applicant/Subscriber is an Affiliate of the SubCA
or is the Sub-CA.
13
Ethiopian PKI X.509 Certificate Policy
Time Stamp Service: means a digitally signed notation appended to electronic message, digital
signature or certificate indicating the correct date and time of an action;
Valid Certificate: means a certificate which has been issued by a licensed or recognized
certificate provider, accepted by the subscriber, not revoked, not suspended or not expired.
Validity Period: The period of time measured from the date when the Certificate is issued until
the Expiry Date.
1.6.2. Acronyms/Abbreviations
AES Advanced Encryption Standard
CA Certificate Authority
COTS Commercial-Off-The-Shelf
CP Certificate Policy
CPS Certification Practice Statement
CRL Certificate Revocation List
CSP Certificate Status Provider
DN Distinguished Name
DNS Domain Name Service
14
Ethiopian PKI X.509 Certificate Policy
15
Ethiopian PKI X.509 Certificate Policy
2.1. Repositories
INSA may recognize other bodies that satisfy requirements set forth under a regulation and
directives issued in accordance with the Electronic Signature 1072/2018 to provide repository
service. Any Accredited CA shall establish easily accessible repository system for disclosing
information stated below. The location of any publication will be one that is appropriate to the
certificate-using community, and in accordance with the total security requirements of the Root
CA. Sub-CAs shall operate Hypertext Transfer Protocol (HTTP) or Lightweight Directory Access
Protocol (LDAP) based repositories.
Directory services update data on certificates several times per hour and CRLs every four hours.
The Root CA updates its CRLs at least once in three months and immediately after revoking a
Sub-CA‟s certificate. Sub-CAs update their CRLs every 24 hours. New versions of documents
are published as soon as they have been approved.
The Sub-CAs shall publish all Certificates and Cross Certificates issued, revocation data for
issued Certificates, CP, CPS, and Relying Party agreements and Subscriber Agreements in
Repositories. The Sub-CAs shall ensure that revocation data for issued Certificates and its Root
Certificate are available through a Repository 24 hours a day, 7 days a week with a minimum of
99% availability overall per year with a scheduled downtime that does not exceed 0.5% annually.
Sub-CAs may refrain from making publicly available certain sensitive and/or confidential
documentation including security controls, operating procedures, and internal security policies.
16
Ethiopian PKI X.509 Certificate Policy
Sub-CAs shall make publicly available this CP and their CPSs, Subscriber Agreements, Relying
Party agreements, and CRLs in Repositories, terms and conditions and any other information
related to the service it provides or any modifications made thereof. CRLs should contain entries
for all revoked unexpired Certificates with a validity period that depends on Certificate type
and/or position of the Certificate within the Certificate chain. Sub-CAs may choose to maintain
the serial numbers of expired Certificates on a CRL to further promote additional security.
The Sub-CAs shall provide unrestricted read access to its Repositories and shall implement
logical and physical controls to prevent unauthorized write access to such Repositories. But any
PKI Repository information not intended for public dissemination or modification shall be
protected. The integrity and authenticity of its public documentation is maintained through the
use of Digital Signatures applied to documents.
17
Ethiopian PKI X.509 Certificate Policy
3.1. Naming
To identify a Subscriber, Sub-CAs shall follow naming and identification rules that include types
of names assigned to the Subject, such as X.500 distinguished names, RFC-822 names, X.400
names or any other applicable framework.
When applicable, Sub-CAs shall use distinguished names to identify both the Subject and issuer
name of the Certificate. All end-entity certificates issued by Sub-CAs shall be meaningful and
shall contain the subject‟s legal name as well as the subject‟s unique Kebele Identification
Number or Passport Number for certificates issued for citizens and residents.
Rules for interpreting name forms shall be in accordance with applicable Standards.
The Root CA shall enforce controls for guaranteeing the uniqueness of subject Distinguishing
Names (DNs). Within the context of the Ethiopian PKI, Subscriber and Sub-CA names shall be
unique. The DN of the Root CA must also be guaranteed to be unique, so that it will not make
conflict with other internationally accepted Root CAs.
Request that infringe upon the intellectual property rights of entities outside of their authority.
18
Ethiopian PKI X.509 Certificate Policy
The RAs (or LRAs) shall enforce that a Proof-of-Possession of private key is submitted as part of
certificate requests. A possible implementation would be to rely on certificate requests to be
processed by Sub-CAs and containing a Proof-of-Possession (e.g. PKCS#10).
Any individual who requests certificates on behalf of an organizational user shall include the
name of the user who made the request, the name of the organization of which a certificate is
requested, the address of the organization, and proof that the claimed organization exits. The role
of the Sub-CA shall be verifying the information it received concerning the organization.
A Sub-CA shall ensure that the applicant‟s identity information is verified; the applicant‟s
identity information and public key are properly bound and record the process that was followed
for issuance of each certificate. Process information shall depend upon the certificate level of
assurance and shall be addressed in the applicable CPS.
The process documentation and authentication requirements shall include the following:
2. A signed declaration by that person that he or she verified the identity of the applicant;
19
Ethiopian PKI X.509 Certificate Policy
3. The applicant shall present Passport or Kebele ID. The applicant shall also present a
document as a proof of residential address.
4. Unique identifying numbers from the Identifier (ID) of the verifier and from an ID of the
applicant;
5. The date and time of the verification; and
Some computing and communications devices (routers, firewalls, servers, etc.) and software
applications will be named as certificate subjects. In such cases, the device must have a human
sponsor. The sponsor is responsible for providing the following registration information:
Equipment identification (e.g., serial number) or service name (e.g., DNS name) or
unique software application name
Equipment or software application public keys
Equipment or software application authorizations and attributes (if any are to be included
in the certificate)
Contact information to enable the Sub-CA or RA to communicate with the sponsor when
required
Certificates shall be issued in accordance with the Electronic Signature Proclamation No.
20
Ethiopian PKI X.509 Certificate Policy
Re-keying a certificate means that the Sub-CAs create a new certificate that has the same
characteristics and level as the old one, except that the new certificate has a new, different public
key (corresponding to a new, different private key) and a different serial number and possibly
different validity period.
The Sub-CAs and subscribers shall identify themselves through use of their current Signing Key
or by using the initial identity-proofing process as described in Section 3.2.
3.3.2. Identification and Authentication for Re-key after Revocation
Except for renewal, if a certificate has been revoked, the subject (i.e., a Sub-CA or an end user) is
required to go through the initial registration process described in Section 3.2 to obtain a new
certificate.
Revocation requests shall be authenticated before authorized parties act upon them. Requests to
revoke a certificate may be authenticated using that certificate's associated public key, regardless
of whether or not the private key has been compromised. In the case of loss of key, Sub-CA can
suspend/revoke the certificate after verifying the subscriber‟s identity. In the case where
subscriber is not in a position to communicate (death, unconscious state, mental disorder or any
other convincing reason), on receiving such information, the Sub-CA can suspend the certificate
and after verification the certificate can be revoked.
21
Ethiopian PKI X.509 Certificate Policy
Communication among the CA, RA, and subscriber shall have requisite security services (i.e.,
source authentication, integrity, non-repudiation, or confidentiality) applied to them
commensurate with the assurance level of the certificate being managed.
For Sub-CA certificate, an authorized representative of the Sub-CA shall submit the request to the
Root CA. The application shall be submitted based on the procedure issued by the Root CA. The
Root CA shall make the procedure available to all entities. The application shall be accompanied
by a CPS written to the format of the Internet X.509 Public Key Infrastructure Certificate Policy
and Certification Practices Framework [RFC3647].
For end entity certificates, the application process shall be in accordance with the CPS issued by
the Sub-CAs.
Sub-CA shall maintain systems and processes that sufficiently authenticate the Applicant‟s
identify for all Certificate types that present the identity to Relying Parties. Applicants should
submit sufficient information to allow Sub-CAs and RAs to successfully perform the required
verification. Sub-CAs and RAs shall protect communications and securely store information
presented by the Applicant during the application process.
It is the responsibility of the target CA to verify that the information in certificate applications is
accurate. Applicable CPS shall specify procedures to verify information in certificate
applications.
For further information, see section 3.2.2, section 3.2.3 and section 3.2.4 thereof.
22
Ethiopian PKI X.509 Certificate Policy
CAs shall approve or reject applications for Certificates in accordance with applicable CPSs.
4.2.3. Time to Process Certificate Application
Certificate applications are processed instantaneously once the requests have been formally
approved. Consequently, certificates are issued within reasonable time after registration by a RA
or a LRA.
After the CA verified the source of the request, Certificates shall be checked to ensure that all
fields and extensions are properly populated. After generation, verification, and acceptance, a
CA shall post the certificate as set forth in applicable CPSs.
The CA shall notify the Subscriber of the issuance of a Certificate in a convenient and
appropriate way based on information submitted during the enrollment process.
CAs shall inform the subscriber that he may not use the certificate until the subscriber has
reviewed and verified the accuracy of the data incorporated into the certificate. To avoid this
being an open-ended stipulation, CAs may set a time limit by when the certificate is deemed to be
accepted.
Each CA shall publish all CA and subscriber certificates in the appropriate certificate repositories.
No Stipulation.
23
Ethiopian PKI X.509 Certificate Policy
All Subscribers must protect their Private Key taking care to avoid disclosure to third parties.
CAs must maintain a suitable Subscriber Agreement which highlights the obligations of the
Subscriber with respect to Private Key protection. Private Keys must only be used as specified in
the appropriate key usage and extended key usage fields as indicated in the corresponding
Certificate. Where it is possible to make a backup of a Private Key, Subscribers must use the
same level of care and protection attributed to the live Private Key. At the end of the useful life of
a Private Key, Subscribers must securely delete the Private Key and any fragments that it has
been split into for the purposes of backup.
CAs must describe the conditions under which certificates may be relied upon by Relying Parties
within their CPS including the appropriate mechanisms available to verify certificate validity
(e.g. CRL or OCSP). CAs must also offer a Relying Party agreement to Subscribers the content
of which should be presented to the Relying Party prior to reliance upon a Certificate. Relying
Parties should use the information to make a risk assessment and as such are solely responsible
for performing the risk assessment prior to relying on the Certificate or any assurances made.
Software used by Relying Parties should be fully compliant fully compatible with applicable
standards including best practice for chaining decisions around policies and key usage.
Renewing a certificate means creating a new certificate with the same name, key, and other
information as the old one, but a new, extended validity period and a new serial number.
CAs that support renewal must identify the products and services under which renewals can be
accepted. A CA may renew a Certificate so long as:
24
Ethiopian PKI X.509 Certificate Policy
The Public Key from the original Certificate has not been blacklisted for any reason; and
All details within the Certificate remain accurate and no new or additional validation is
required.
2. Identification & Authentication for Re-key as described in Section 3.3, except the old
key can also be used as the new key.
No stipulation.
25
Ethiopian PKI X.509 Certificate Policy
Re-keying a certificate means that a new certificate is created that has the same characteristics
and level as the old one, except that the new certificate has a new, different public key
(corresponding to a new, different private key) and a different serial number, and it may be
assigned a different validity period.
The new public key has not been blacklisted for any reason; and
All details within the Certificate remain accurate and no new or additional validation is
required.
4.7.2. Who may Request Certification of a New Public Key
Subscribers with a current, valid certificate may request re-key via a digitally signed message.
Sub-CAs and RAs may request certification of a new public key on behalf of a subscriber.
For component certificates, the PKI sponsor may request certification of a new public key for
the component.
Re-key requests shall be validated using the procedures for subscriber identity and
authentication for initial certificate issuance as described in Section 3.2 and 3.3 respectively.
26
Ethiopian PKI X.509 Certificate Policy
No stipulation.
No stipulation.
No stipulation.
No stipulation.
No stipulation.
No stipulation.
No stipulation.
No stipulation.
A certificate shall be revoked when the binding between the subject and the subject‟s public key
defined within a certificate is no longer considered valid. Examples of circumstances that
invalidate the binding are:
27
Ethiopian PKI X.509 Certificate Policy
4. The Subject or other authorized party (as defined in the applicable CPS) asks for the
subscriber‟s certificate to be revoked;
5. Private key lost;
6. Subscriber is not in a position to use certificate (Death – copy of Death certificate made
available to the CA).
Whenever any of the above circumstances occur, the associated certificate shall be revoked and
placed on the CRL. Revoked certificates shall be included on all new publications of the
certificate status information until the certificates expire. A revoked certificate shall appear on at
least one CRL.
A Subscriber;
A human supervisor of a human subject (for organizational user);
For Sub-CAs‟ certificates, authorized individuals representing the Sub-CA may request
revocation of certificates.
28
Ethiopian PKI X.509 Certificate Policy
Upon receipt of a revocation request, a Sub-CA shall authenticate the request and then
revoke the certificate.
The revocation request grace period is the time available for a Subscriber to take any necessary
actions themselves in order to request revocation of a suspected Key Compromise, use of a weak
key or discovery of inaccurate information within an issued Certificate.
There is no revocation grace period. Responsible parties must request revocation as soon as they
identify the need for revocation.
The CA shall revoke certificates as quickly as practical after a valid revocation request is
received. Revocation requests shall be processed before the next CRL is published.
CRLs shall be issued periodically, even if there are no changes to be made, to ensure timeliness
of information. Certificate status information may be issued more frequently than the issuance
frequency described below. A Sub-CA shall ensure that superseded certificate status information
is removed from the PKI Repository upon posting of the latest certificate status information.
CRLs shall be published not later than the next scheduled update.
At least once every three months for Root CA with minimum validity period of 6 months;
29
Ethiopian PKI X.509 Certificate Policy
At Least Once every 24 hours for Sub-CA with minimum validity of 7 days.
CRL‟s shall be published within reasonable time of generation. Each CRL is published with the
nextUpdate time specified in the previous CRL for the same scope.
The Sub-CA shall support, in addition to CRLs, on-line status checking via OCSP. Client
software using on-line status checking need not obtain or process CRLs.
No stipulation.
No stipulation.
CA may suspend the certificate work fully or partially for a time not exceeding 3 months in the
following conditions:
o it is proved that the license has been given based on falsified information; o the
certificate provider performs its duty contrary to the objective or condition of the
license;
o the certificate provider is engaged in business activity and the business license
revoked;
30
Ethiopian PKI X.509 Certificate Policy
o the license is expired and is not renewed; o the certificate provider is wind up or
bankrupt;
o the certificate provider is convicted by court of law for involving in criminal
activity linked to certification that erodes the trust;
o the certificate provider has failed to begin operation within three months from the
date it receives a license;
When the Root CA considers that the grounds are not suffice to revoke the certificate
provider license but defects are required to be corrected within a specified time;
The Root CA shall notify in writing the grounds for suspension of certificate work and
measures that the Root CA has to take to correct the defects within the time specified;
4.9.14. Who can Request Suspension
Any subscriber or his duly authorized agent may request the certificate provider for the
suspension of a certificate at any times.
The Root CA may suspend the certificate work fully or partially for a time not exceeding 3
months.
4.10. Certificate Status Services
CAs shall provide a Certificate status service either in the form of a CRL distribution point or an
OCSP responder or both.
31
Ethiopian PKI X.509 Certificate Policy
Relying Parties are bound to their obligations and the stipulations of this CP irrespective of the
availability of the online certificate status service.
No stipulation.
Subscribers may end their subscription to Certificate services due to the termination of the
service, revocation or expiration of the certificate.
Under no circumstances shall a CA or end entity signature key be escrowed by a third party.
No stipulation.
32
Ethiopian PKI X.509 Certificate Policy
The CA shall impose physical security requirements that provide similar levels of protection as
those specified below. All the physical control requirements apply equally to the CA. Equipment
shall be protected from unauthorized access while the cryptographic module is installed and
activated. The RA shall implement physical access controls to reduce the risk of equipment
tampering even when the cryptographic module is not installed and activated. These security
mechanisms shall be commensurate with the level of threat in the RA equipment environment.
The CA equipment shall be in a controlled facility that is monitored 24/7. The CA cryptographic
modules, both those active and operational, and those stored in security containers for on-site and
off-site backup, shall be protected against theft, loss, and unauthorized use by the controls
specified in section 5.1.2 below. Physical security controls should also be in accordance with the
Critical Mass Cyber Security Requirement Standard V1.0.
5.1.1. Site Location & Construction
The location and construction of the facility housing CA, Timestamp Service Provider and
Repository Service Provider equipment should be consistent with facilities used to house high
value, sensitive information. The site location and construction, when combined with other
physical security protection mechanisms such as guards and intrusion sensors, should provide
robust protection against unauthorized access to the CA, Timestamp Service Provider and
Repository Service Provider equipment and records.
5.1.2. Physical Access
CA, Registration Authority, Timestamp Service Provider and Repository Service Provider
equipment should always be protected from unauthorized access. The physical security
requirements pertaining to CA, Timestamp Service Provider and Repository Service Provider
equipment are:
1. Ensure unauthorized access to the hardware is not permitted;
2. Ensure all removable media and paper containing sensitive plaintext information is
stored in secure containers;
33
Ethiopian PKI X.509 Certificate Policy
6. Require two-person physical access control to both the cryptographic module and
computer system for CAs issuing all class certificates;
Removable cryptographic modules should be deactivated prior to storage. When not in use,
removable cryptographic modules, activation information used to access or enable cryptographic
modules shall be placed in secure containers. Activation data should either be memorized, or
recorded and stored in a manner commensurate with the security afforded to the cryptographic
module, and should not be stored with the cryptographic module.
A security check of the facility housing the CA, RA, Timestamp Service Provider and Repository
Service Provider equipment should occur if the facility is to be left unattended. At a minimum,
the check shall verify the following:
1. The equipment is in a state appropriate to the current mode of operation (e.g., that
cryptographic modules are in place when “open”, and secured when “closed”);
2. For off-line CAs, all equipment other than the PKI Repository is shut down);
4. Physical security systems (e.g., door locks, vent covers) are functioning properly; and
A person or group of persons shall be made explicitly responsible for making such checks. When
a group of persons is responsible, a log identifying the person performing a check at each
instance shall be maintained. If the facility is not continuously attended, the last person to depart
shall initial a sign-out sheet that indicates the date and time, and asserts that all necessary
physical protection mechanisms are in place and activated.
34
Ethiopian PKI X.509 Certificate Policy
CAs shall have backup power sufficient to automatically lockout input, finish any pending
actions, and record the state of the equipment before lack of power or air conditioning causes a
shutdown. PKI Repositories should be provided with Uninterrupted Power sufficient for a
minimum of 24 hours operation in the absence of commercial power, to support continuity of
operations.
5.1.4. Water Exposures
The CA, Registration Authority, Timestamp Service Provider and Repository Service Provider
equipment shall be installed such that it is not in danger of exposure to water.
5.1.5. Fire Prevention & Protection
The CA, Registration Authority, Timestamp Service Provider and Repository Service Provider
secure facility is fully wired for fire detection, alarm and suppression. Routine, frequent
inspections of all systems shall be made to assure adequate operation.
5.1.6. Media Storage
Electronic optical and other media shall be stored so that they are protected from accidental
damage (water, fire, electromagnetic radiation). Media that contains security audit archive and
backup information shall be stored in a secure, fire-proof, and safe location separate from the CA.
5.1.7. Waste Disposal
All obsolete paper, magnetic media, optical media, etc. created within the enclave shall be
shredded before discarding. Reusable magnetic and optical media may be reused indefinably
within the enclave.
5.1.8. Off-Site backup
Full system backups of the CAs, sufficient to recover from system failure, should be made on a
periodic schedule, described in the respective CPS. Backups should be performed and stored
offsite as described in applicable CPS. At least one full backup copy should be stored at an offsite
location (at a location separate from the CAs equipment). Only the latest full backup needs to be
retained. The backup should be stored at a site with physical and procedural controls
commensurate to that of the operational CAs.
35
Ethiopian PKI X.509 Certificate Policy
A trusted role is one whose incumbent performs functions that can introduce security problems if
not carried out properly, whether accidentally or maliciously. The people selected to fill these
roles must be extraordinarily responsible or the integrity of the CA is weakened. The functions
performed in these roles form the basis of trust for all uses of the CA. Two approaches are taken
to increase the likelihood that these roles can be successfully carried out. The first ensures that
the person filling the role is trustworthy and properly trained. The second distributes the functions
among more than one person, so that any malicious activity would require collusion.
5.2.1.1. Administrator
The CA Security Officer should be responsible for issuing certificates, that is:
36
Ethiopian PKI X.509 Certificate Policy
5.2.1.3. Auditor
5.2.1.4. Operator
The Operator should be responsible for the routine operation of the CA equipment and operations
such as system backups and recovery or changing recording media.
5.2.1.5. Registration Authority
The roles of RAs engaged by CAs are limited only to the collection of Digital Signature
Certificate (DSC) application form, supporting documents and facilitation of issuance of DSC to
applicants.
Whereas for organizational RA, the responsibilities are:
The Repository Officer shall make public a copy of a certificate the CA issued, suspended or
revoked in the repository specified in the certificate; provided that the subscriber accepted it.
5.2.1.7. Timestamp Officer
The Timestamp Officer shall confirm the correct date and time of an act to a specific electronic
message, digital signature or authenticity of a certificate.
5.2.2. Number of Persons Required per Task
Two or more persons are required for CAs for the following tasks:
37
Ethiopian PKI X.509 Certificate Policy
l. Recovery of a subscriber‟s encryption private key for a third party as directed by the
An individual should identify and authenticate him/herself before being permitted to perform any
actions set forth above for that role or identity. All user authentications are based on two-factor
authentication.
5.2.4. Roles Requiring Separation of Duties
Role separation, when required as set forth below, may be enforced either by the CA equipment,
or procedurally, or by both means.
Individual CA personnel should be specifically designated to the four roles defined in Section
5.2.1 Above. Individuals may assume more than one role, except:
1. Individuals who assume a Security Officer role may not assume an Administrator or
Auditor role;
2. Individuals who assume an Auditor role shall not assume any other role on the CA; and
38
Ethiopian PKI X.509 Certificate Policy
3. Under no circumstances shall any of the seven roles perform its own compliance auditor
function.
All persons filling trusted roles should be selected on the basis of loyalty, trustworthiness, and
integrity, and should be subject to background investigation.
The trusted roles of these individuals per Section 5.2.1 should be identified.
All trusted roles are required to be held by Ethiopian citizens and in accordance with the
following requirements:
1. Have successfully completed an appropriate training program;
3. Be trustworthy;
4. Have no other duties that would interfere or conflict with their duties for the trusted
role;
5. Have not been previously relieved of duties for reasons of negligence or
nonperformance of duties;
6. Have not been denied a security clearance, or had a security clearance revoked for
cause;
7. Have not been convicted of a felony offense; and
All persons filling trusted roles should have completed a favorable background investigation.
The scope of the background check should include the following areas:
1. Employment;
39
Ethiopian PKI X.509 Certificate Policy
2. Education (Regardless of the date of award, the highest educational degree shall be
verified);
3. Place of residence;
5. References
The period of investigation must cover at least the last five (5)
years for each area, excepting the residence check which must cover at least the last three (3)
years. Regardless of the date of award, the highest educational degree shall be verified.
The background investigation shall be performed by an authorized body based on applicable
laws.
5.3.3. Training Requirements
All personnel performing duties with respect to the operation of a CA, Repository Service
Provider, Timestamp Service Provider or a Registration Authority should receive comprehensive
training. Training should be conducted in the following areas:
1. CA/Repository Service Provider/Timestamp Service
Provider/Registration Authority security principles and mechanisms;
Documentation shall be maintained identifying all personnel who received training and the level
of training completed. Where competence was demonstrated in lieu of training, supporting
documentation shall be maintained.
40
Ethiopian PKI X.509 Certificate Policy
Individuals responsible for trusted roles should be aware of changes in the CA, Repository Service
Provider, Timestamp Service Provider or RA operations, as applicable. Any significant change to
the operations should have a training (awareness) plan, and the execution of such plan shall be
documented. Examples of such changes are CA software or hardware upgrade, Registration
Authority software upgrades, changes in automated security systems, and relocation of
equipment.
5.3.5. Job Rotation Frequency and Sequence
Any job rotation frequency and sequencing procedures shall provide for continuity and integrity
of the Ethiopian PKI CA services.
5.3.6. Sanctions for Unauthorized Actions
Any person that operates in violation of this CP or the CPSs related to this CP or the practices and
procedures stated herein, whether through negligence or with malicious intent, shall have
privileges revoked and may be subject to administrative, disciplinary or legal action.
5.3.7. Independent Contractor Requirements
Contractor personnel employed to perform functions pertaining to the CA shall meet applicable
requirements set forth in Section 5.3.1 above. Vendors who provide services to the Ethiopian PKI
shall establish procedures to ensure that any subcontractors who directly provide services to the
Ethiopian PKI perform in accordance with the requirements of Section 5.3.1 above.
5.3.8. 5.3.8. Documentation Supplied to Personnel
For the Ethiopian PKI CA and RA, documentation sufficient to define duties and procedures for
each trusted role shall be provided to the personnel filling that role.
5.4. Audit Logging Procedures
Audit log files should be generated for all events relating to the security of the CAs, Repository
Service Providers, Timestamp Service Providers and RAs. Where possible, the security audit logs
should be automatically collected. Where this is not possible, a logbook, paper form, or other
physical mechanism shall be used. All security audit logs, both electronic and non-electronic,
41
Ethiopian PKI X.509 Certificate Policy
should be retained and made available during compliance audits. The security audit logs for each
auditable event defined in this section should be maintained in accordance with Section 5.5.2.
5.4.1. Types of Events Recorded
All security auditing capabilities of the CAs, Repository Service Providers, Timestamp Service
Providers and Registration RAs operating system and the applications required by this CP should
be enabled. As a result, most of the events identified in the table should be automatically
recorded. At a minimum, each audit record should include the following (either recorded
automatically or manually for each auditable event):
1. The type of event,
4. The identity of the entity and/or operator that caused the event.
42
The value of maximum number of
X X X
authentication attempts is changed
The number of unsuccessful
authentication attempts exceeds the
X X X
maximum authentication attempts
during user login
An Administrator unlocks an account
that has been locked as result of X X X
unsuccessful authentication attempts
An Administrator changes the type of
authenticator, e.g., from a password X X X
to a biometric
LOCAL DATA ENTRY
All security-relevant data that is
X X X
entered in the system
REMOTE DATA ENTRY
All security-relevant messages that
X X X
are received by the system
DATA EXPORT AND OUTPUT
All successful and unsuccessful
requests for confidential and X X X
security-relevant information
KEY GENERATION
Whenever the Component generates
a key (not mandatory for single
X X X
session or one-time use symmetric
keys)
PRIVATE KEY LOAD AND STORAGE
The loading of Component private
X X X
keys
All access to certificate subject
Private Keys retained within the CA X N/A N/A
for key recovery purposes
TRUSTED PUBLIC KEY ENTRY, DELETION AND STORAGE
All changes to the trusted Component
Public Keys, including X X X
additions and deletions
PRIVATE AND SECRET KEY EXPORT
The export of private and secret keys
(keys used for a single session or X X X
message are excluded)
CERTIFICATE REGISTRATION
Audit logs shall be reviewed monthly. Such reviews involve verifying that the log has not been
tampered with, and then briefly inspecting all log entries with a more thorough investigation of
any alerts or irregularities in the log. Examples of irregularities include discontinuities in the logs
and loss of audit data. Actions taken as a result of these reviews shall be documented.
5.4.3. Retention Period for Audit Log
Audit logs shall be retained onsite for at least two months as well as being retained in the manner
described Section 5.5.2.
5.4.4. Protection of Audit Logs
The Ethiopian PKI system configuration and procedures should be implemented together to
ensure that:
1. Only authorized people have read access to the logs;
Audit logs and audit summaries shall be backed up at least monthly. A copy of the audit shall be
sent off-site on a monthly basis.
5.4.6. Audit Collection System (internal vs. external)
The audit log collection system may or may not be external to the CA, Repository Service
Provider, Timestamp Service Provider or Registration Authority. Audit processes should be
invoked at system startup, and cease only at system shutdown. Should it become apparent that an
automated audit system has failed, and the integrity of the system or confidentiality of the
information protected by the system is at risk, then the CA should determine whether to suspend
its operation until the problem is remedied.
5.4.7. Notification to Event-Causing Subject
This CP imposes no requirement to provide notice that an event was audited to the individual,
organization, device, or application that caused the event.
5.4.8. Vulnerability Assessments
The CA shall assess the vulnerability of its system or its components annually. A routine
assessment of the CA’s system shall be performed regularly for evidence of any malicious
activity.
5.5. Records Archival
CA, Repository Service Provider, Timestamp Service Provider and RA archive records should be
sufficiently detailed to establish the proper operation of the component or the validity of any
certificate (including those revoked or expired) issued by the CA.
The minimum retention periods for archive data shall be ten (10) years.
If the original media cannot retain the data for the required period, a mechanism to periodically
transfer the archived data to new media should be defined by the archive site. Applications
required processing the archive data should also be maintained for the minimum retention period
specified above.
5.5.3. Protection of Archive
No unauthorized user shall be permitted to write to, modify, or delete the archive. For the
SubCA, archived records may be moved to another medium. The contents of the archive shall not
be released except in accordance with Sections 9.3 and 9.4. Records of individual transactions
may be released upon request of any subscribers involved in the transaction or their legally
Archive files shall be backed up along with the security audit logs. Paper archives shall be
backed up to long-term storage media. The Sub-CA’s CPS shall specify the details of which
media type issued, the frequency and other procedural details. The CPS shall also specify how
archive backup files are managed.
Ethiopian PKI Sub-CA archive records shall be automatically time-stamped as they are created.
The CPS shall describe how system clocks used for time-stamping are maintained in compliance
with applicable time standard.
5.5.6. Archive Collection System (internal or external)
Procedures detailing how to create, verify, package, and transmit archive information should be
published in the applicable CPS.
5.6. Key Changeover
To minimize risk from compromise of a Sub-CA’s private signing key, that key may be changed
often; from that time on, only the new key should be used for certificate signing purposes. The
older, but still valid, certificate will be available to verify old signatures until all of the
certificates signed using the associated private key have also expired. If the old private key is
used to sign CRLs, then the old key should be retained and protected.
The following table provides the life times for certificates and associated private keys.
4. Any incident preventing the Sub-CA from issuing a CRL within 24 hours of the time
specified in the next update field of its currently valid CRL. A Sub-CA shall reestablish
capability to issue CRL as quickly as possible.
If Sub-CA equipment is damaged or rendered inoperative, but the Sub-CA signature keys are not
destroyed, Sub-CA operation shall be reestablished as quickly as possible, giving priority to the
ability to generate certificate status information. The integrity of the system shall be ensured at
all times as Sub-CA equipment/systems are restored to operation.
5.7.3. Entity Private Key Compromise Procedures
1. The Root CA should be securely notified at the earliest feasible time so that the Sub-CA
certificate can be revoked;
2. A Sub-CA key pair should be generated by the Sub-CA in accordance with procedures set
forth in the applicable CPS;
3. New Sub-CA certificates should be requested in accordance with the initial registration
process set elsewhere in this CP;
4. If the Sub-CA can obtain accurate information on the certificates it has issued and that are
still valid (i.e., not expired or revoked), the Sub-CA may re-issue (i.e., renew) those
certificates with the not After date in the certificate as in original certificates; and
5. If the Sub-CA is the Root Certificate Authority, it should provide the Subscribers the new
trust anchor using secure means.
The Sub-CA should also investigate what caused the compromise or loss, and what measures
must be taken to preclude recurrence.
If a Repository Service Provider and Timestamp Service Provider keys are compromised, all
certificates issued to the Repository Service Provider and Timestamp Service Provider should be
revoked, if applicable. The Repository Service Provider and Timestamp Service Provider will
generate new key pairs and request new certificate(s), if applicable.
5.7.4. Business Continuity Capabilities after a Disaster
In the case of a disaster whereby the Sub-CA installation is physically damaged and all copies of
the Sub-CA signature key are destroyed as a result, the Root CA shall be securely notified as
soon as practical and take whatever action it deems appropriate. Relying Parties may decide of
their own volition whether to continue to use certificates signed with the destroyed private key
In the event of termination of a Sub-CA or RA, the entity should request all certificates issued to
it be revoked.
A Sub-CA or RAshould archive all audit logs and other records prior to termination.
Cryptographic keying material for certificates issued by the Sub-CA shall be generated in
FIPS140-1/2 validated cryptographic modules. For the Sub-CA, the modules shall meet or
exceed Security Level 3. The Sub-CAs must document their key generation procedure in their
CPSs, and generate auditable evidence that the documented procedures were followed. The
documentation of the procedure must be detailed enough to show that appropriate role separation
was used. The process shall be validated by an independent third party.
6.1.2. Private Key Delivery to Subscriber
The Sub-CA should generate their own key pair and therefore do not need private key delivery.
Sub-CA shall retain the copy of subscribers‟ encryption key or shall have key recovery system.
Sub-CA shall not retain or hold copy of private key used to sign digital signature.
Where key pairs are generated by the Subscriber, the public key and the Subscriber‟s identity
should be delivered securely to the Sub-CA for certificate issuance. The delivery mechanism
should bind the Subscriber‟s verified identity to the public key. If cryptography is used to
achieve this binding, it should be at least as strong as the Sub-CA keys used to sign the
certificate.
6.1.4. Sub-CA Public Key Delivery to Relying Parties
The public key of a trust anchor should be provided to the subscribers acting as relying parties in
a secure manner so that the trust anchor is not vulnerable to modification or substitution.
Acceptable methods for delivery of trust anchor include but are not limited to:
1. The Sub-CA loading a trust anchor onto tokens delivered to subscribers via secure
mechanisms;
Public key parameters prescribed in the Digital Signature Standard (DSS) shall be generated in
accordance with FIPS 186-4.
Parameter quality checking (including primarily testing for prime numbers) shall be performed in
accordance with FIPS 186-4 or a more stringent test if specified by the Root CA.
6.1.7. Key Usage Purposes (as per X.509 v3 key usage field)
The Sub-CA and subscriber certificates include key usage extension fields to specify the purposes
for which the certificate may be used and also to technically limit the functionality of the
certificate when used with X.509v3compliant software. Reliance on key usage extension fields is
dependent on correct software implementations of the X.509 version 3 standard and is outside of
All CAs must implement a combination of physical, logical, and procedural controls
to ensure the security protection and prevent the loss, damage, disclosure, modification or
unauthorized use of their private keys.
6.2.1. Cryptographic Module Standards and Controls
For key pair generation and Sub-CA private key storage, the Root CA uses hardware
cryptographic modules that are rated at Federal Information Processing Standard (FIPS) 140-2
Level 3.For the Sub-CAs key pair generation and private key storage use hardware cryptographic
modules that, at a minimum, are rated at FIPS 140-2 Level 3.Hardware tokens for key pair
generation and private key storage of end-user Subscribers shall, at a minimum, be rated at FIPS
140-2 Level 1.
6.2.2. Private Key (m out of n) Multi-Person Control
All the Sub-CAs must implement technical and procedural mechanisms that require the
participation of multiple trusted individuals to perform sensitive Sub-CA cryptographic
operations. A threshold number of Secret Shares (m) out of the total number of Secret Shares
created and distributed for a particular hardware cryptographic module (n) is required to activate
a Sub-CA private key stored on the module.
The threshold number of shares needed for key generation is 3 of 10 (where m=3 and n=10)
signing key activation is 3 of 10 and private key backup and restore is 3 of 10. Re-activation of
the backed-up Sub-CA private keys requires the same multi-person participation as when
performing other sensitive Sub-CA private key operations.
6.2.3. Private Key Escrow
The end entity private keys used solely for decryption should be escrowed prior to the generation
of the corresponding certificates.
The private keys of the Sub-CAs are stored in encrypted state and access is only by multi-person
control as specified in Section 6.2.2 (Private Key (m out of n) Multi-person Control) of this CP.
Backup copy of the Sub-CAs private keys are created for routine recovery and disaster recovery
purposes. The Sub-CAs private keys are copied to backup hardware cryptographic modules in
accordance with this CPS.
All the Sub-CAs do not store copies of subscriber private keys. Subscribers are solely responsible
for backup of their private keys. For the backup of subscriber private keys, subscribers may
choose to back up their keys to their hard drive.
6.2.5. Private Key Archival
When all the Sub-CAs key pairs reach the end of their validity period, such Sub-CAs key pairs
will be archived for a period of at least 10 years. Archived Sub-CAs key pairs will be securely
stored using offline media. Procedural controls will prevent archived Sub-CAs key pairs from
being returned to production use. Upon the end of the archive period, the archived Sub-CAs
private keys will be securely destroyed.
The Ethiopian PKI does not archive copies of subscriber signature private keys.
All the Sub-CAs generate key pairs on the hardware cryptographic modules in which the keys
will be used. In addition, copies of such Sub-CAs key pairs for routine recovery and disaster
recovery purposes are made. Where Sub-CAs key pairs are backed up to another hardware
cryptographic module, such key pairs are transported between modules in encrypted form.
The cryptographic module may store Private Keys in any form as long as the keys are not
accessible without authentication mechanism that is in compliance with FIPS 140-2 rating of the
cryptographic module.
6.2.8. Method of Activating Private Key
The user must be authenticated to the cryptographic module before the activation of any private
key(s). Acceptable means of authentication include but are not limited to pass-phrases, Personal
The Sub-CAs private keys are deactivated upon stopping of the Sub-CA system software. The
RA private keys (used for authentication to the RA application) are deactivated upon system log
off. RAs are required to log off their workstations when leaving their work area. A and end-user
Subscriber private keys may be deactivated after each operation, upon logging off their system or
upon removal of hardware token or software token depending upon the authentication
mechanism employed by the user. In all cases, end-user subscribers have an obligation to
adequately protect their private keys in accordance with this CP.
6.2.10. Method of Destroying Private Key
The HSM device and associated backup are “zerotized” or re-initialized according to the
specifications of the hardware manufacturer. This overwrites all of the data on the device. In
cases when this zeroization procedure fails, the Ethiopian PKI will physically destroy the device
to remove the ability to extract any private key.
6.2.10.1. Cryptographic Module Rating
All CA‟s and subscribers‟ public keys are archived as part of the certificate archival.
The Ethiopian PKI activates the cryptographic module containing its Sub-CAs‟ private keys
according to the specifications of the hardware manufacturer and the Key Ceremony Script. This
Activation data for HSM devices are protected as described in Section 6.2.2 (Private Key (n out
of m) Multi-Person Control). Sub-CA and RA are required to store their administrator private
keys in encrypted form using hardware token with strong password protection. The Ethiopian
PKI recommends that subscribers store their private keys in encrypted form and protect their
private keys through the use of a hardware token and/or strong passphrase.
6.4.3. Other Aspects of Activation Data
Sub-CAs, Repository Service Providers, and Timestamp Service Providers should change the
activation data whenever the token is re-keyed or returned from maintenance.
6.5. Computer Security Controls
All computers able to access the Sub-CA environment shall be protected by a combination of
operating system, software and physical safeguards. All RAs that are accredited should comply
with all the rules and guidelines stated in the accreditation.
6.5.1. Specific Computer Security Technical Requirements
The Ethiopian PKI ensures that the systems maintaining the Sub-CA software and data files are
secure from unauthorized access. All computers that are part of the Sub-CA system shall be
configured and hardened using industry best practices. All operating systems shall require
identification and authentication for authenticated logins. It shall provide discretionary access
control, access control restrictions to services based on authenticated identity, security audit
capability and a protected audit record for shared resources, self-protection, and process
The Sub-CAs production network is logically separated from other components. This separation
prevents network access except through defined application processes. The Ethiopian PKI uses
firewalls to protect the production network from external intrusion and limit the nature and
source of network activities that may access production systems.
Direct access to the Sub-CA databases supporting the Sub-CA operation is limited to the
database administrator duly authorized for such access.
6.5.2. Computer Security Rating
No Stipulation.
The System Development Controls for the Sub-CA, Repository Service Provider, and Timestamp
Service Provider are as follows:
1. The Sub-CA shall use software that has been designed and developed under a
development methodology
2. The Sub-CA shall use COTS Sub-CA software that meets FIPS requirements.
The configuration of the CA, Repository Service Provider, and Timestamp Service Provider
system as well as any modifications and upgrades should be documented and controlled. There
should be a mechanism for detecting unauthorized modification to the CA, Repository Service
Provider, and Timestamp Service Provider software or configuration. A formal configuration
management methodology should be used for installation and ongoing maintenance of the CA
system. The CA, Repository Service Provider, and Timestamp Service Provider software, when
first loaded, should be verified as being that supplied from the vendor, with no modifications,
and be the version intended for use.
6.6.3. Life Cycle Security Controls
No stipulation.
The Ethiopian PKI system is protected by firewalls. The Root CA is offline and not reachable
from the network. Firewalls and boundary control devices are configured to allow access only by
the addresses, port, protocols and commands required for the provision of PKI services by such
systems.
The Sub-CA equipment is configured with minimum number of services and all unused network
ports and services are disabled. All firewall configuration changes are documented, authorized,
tested and implemented in accordance with change management policies and procedures.
Network configuration is available for review by its auditors and consultants under an
appropriate non-disclosure agreement.
6.8. Time-Stamping
All Sub-CA, Repository Service Provider, and Timestamp Service Provider components shall
regularly synchronize with a reliable time service. Time derived from the time service shall be
used for establishing the time of:
• OCSP responses
Asserted times shall be accurate to within three minutes. Electronic or manual procedures may be
used to maintain system time. Clock adjustments are auditable events as listed in Section
5.4.1.
The CPS related to this CP defined in detail the actual format of certificates issued by the CA.
Certificates issued by the CA shall conform to the Ethiopian PKI X.509 Certificate and CRL
Extensions Profile as well as the Electronic Signature Proclamation No. 1072/2018.
7.1.1. Version Number(s)
X.509 v3 extensions are supported and used as indicated in the Certificates profiles as described
in the present document.
7.1.3. Algorithm Object Identifiers
Algorithms OID are conforming to IETF RFC 3279 and RFC 5280.
Name forms are in the X.500 distinguished name form as implemented in RFC 3739.
CAs are technically unconstrained and are subject for full audit as specified in Section 8 of this
CP.
7.1.6. Certificate Policy Object Identifier
Certificate policy object identifiers are used as per RFC 3739. The OIDs used by CAs are listed
in Section 1.2.
7.1.7. Usage of Policy Constraints Extension
Usage of Policy Constraints extension is supported as per RFC 5280. CAs follow Section 7.1.6
No stipulation.
No stipulation.
The CAs and its subordinates issue X.509 Version 2 CRLs in accordance with IETF PKIX RFC
5280.
7.2.2. CRL and CRL entry extensions
The CAs and Subscriber Certificates include the CRLDistributionPoints extension containing the
URL of the location where a Relying Party can obtain a CRL to check the CAs‟ Certificates
statuses.
OCSP (Online Certificate Status Protocol) is a way to obtain timely information about the
revocation status of a particular certificate. The Sub-CA‟s OCSP functionality is built according
to RFC 6960.
The Sub-CA provides uninterrupted on-line certificate status protocol OCSP support which is a
real time certificate status inquiry. By this service, when appropriate certificate status inquiries
are received, the status of certificates and additional information as required by the protocol are
returned to the inquirer as the response.
Sub-CA‟s OCSP profile description is available as in the naming and profile (published in
repository http://govsubca.epki.gov.et /repository)
An annual audit is performed by an independent external auditor to assess CAs’ compliance with
standards set forth by the CA/Browser Forum.
More than one compliance audit per year is possible if this is requested by the audited party or is
a result of unsatisfactory results of a previous audit. Material exceptions or deficiencies
identified during an audit will result in a determination of actions to be taken. This determination
is made by the independent auditor with input from the CA. The CA is responsible for
developing and implementing a corrective action plan.
The audit requirement shall be performed by a qualified independent assessment team organized
by INSA comprising, but not limited to, the following:
a) Certified Public Accountants; and
All shall possess sufficient knowledge on digital signatures, digital certificates, Internet X.509
version 3 PKI Certificate Policy, Certification Practices Framework, the Electronic Signature
Proclamation No. 1072/2018, the Computer Crime Offence Proclamation, the Telecom Fraud
Proclamation, the National Information Security Policy among others.
Any member of the assessment team and the firms or companies the member is affiliated with
shall have no conflict of interest with the Ethiopian PKI CA being assessed and shall not be a
software or hardware vendor that is or has been providing services or supplying equipment to the
Ethiopian PKI CA within the last two (2) years.
The compliance audit verifies that the operational and technical controls used by the CA
operations personnel, including all RA and any other PKI or entity satisfy all requirements of
this CP including all the following topics:
• Identification & Authentication
• CPS Administration
When the compliance auditor finds a discrepancy between how the CA is designed or is operated
or maintained, as compared to the requirements of this CP and/or applicable CPS, the following
actions shall be performed:
• the compliance auditor shall document the discrepancy;
• Suspend operation
If a deficiency is identified, INSA will determine which of the following actions to take.
The compliance auditor will communicate results of all compliance audits to INSA through a
Compliance Audit Report letter. This report letter shall document the versions of the CP and
9.1. Fees
Any person who wants to engage as certificate provider may lodge application to the Root CA
for the issuance of license by filling the form prescribed by the Root CA and pay a prescribed
license fee. The Sub-CA shall submit an application for a replacement license accompanied by
all documents as may be required by the Root CA together with the prescribed fee.
9.1.1. Certificate Issuance and Renewal Fees
Any certificate provider that submits an application for issuance or renewal of license in
accordance with the Electronic Signature Proclamation No. 1072/2018 shall provide necessary
documents as may be required and pay prescribed fee upon approval of the application.
9.1.2. Certificate Access Fees
CAs may set any reasonable fees for any other services such as access to archive records or key
recovery.
9.1.5. Refund Policy
Sub-CAs may, but are not required to, have a documented refund process.
CAs shall also maintain reasonable levels of insurance coverage to address all foreseeable
liability obligations to PKI Participants described in Section 1.2 of this CP.
9.2.2. Other Assets
Sub-CAs may, but are not required, to offer protection to end entities that extends beyond the
protections provided in this CP. Any such protection shall be offered at commercially reasonable
rates.
9.3. Confidentiality of Business Information
CAs information not requiring protection may be made publicly available, subject to the
stipulations of this CP and other applicable laws.
9.3.1. Scope of Confidential Information
Each Subscriber‟s private signing key is confidential to that Subscriber. The Sub-CA and RA are
not provided any access to those keys. Information held in audit logs and the archives is
considered confidential to the Sub-CAs and is not released to external parties, unless required by
law. Personal information held by the RA, other than that which is explicitly published as part of
a certificate, CRL, this CP or the CPS is considered confidential to the Ethiopian PKI and is not
released unless required by law. Information stored on the RA workstation or Sub-CAs server is
protected by password. The RA keeps paper information (e.g., registration forms) in a locked
container when the RA is not present.
9.3.2. Information not within the Scope of Confidential Information
The Root CA shall have responsibility to ensure that controls exist to protect the confidential
information in section 9.3.1.
CAs information not requiring protection may be made publicly available, subject to the
stipulations of this CP and other applicable laws.
9.4.1. Privacy Plan
All Ethiopian CAs and/or RAs have Privacy Plans that will always protect personally identifying
information from unauthorized disclosure.
9.4.2. Information Treated as Private
Any information about subscribers that is not publicly available through the content of the issued
certificate and online CRLs is treated as private.
9.4.3. Information Not Deemed Private
All Ethiopian CAs and RAs shall secure all private information they receive from compromise
and disclosure to unauthorized parties and shall comply with applicable laws in line with data
privacy.
9.4.5. Notice and Consent to Use Private Information
There are no requirements for the CA to provide notice or obtain consent to use the information
provided by Subscribers and applicants for certificates.
9.4.6. Disclosure Pursuant to Judicial or Administrative Process
No stipulation.
All Intellectual Property Rights in this CP are owned by INSA. All Intellectual Property Rights
in any CPS of a Sub-CA may be claimed by that Sub-CA.
9.5.3. Property Rights in Names
The Certificate Applicant may claim all rights, if any, in any trademark, service mark, or trade
name of the Certificate Applicant contained in any Application.
9.5.4. Property Rights in Keys
Sub-CAs may claim property rights to the keys they use (e.g., Sub-CA key pair, OCSP
Responder key pair, time-stamp service provider key pair, repository service provider key pair,
etc.) Subject to any agreements between a Sub-CA and its customers, ownership of and property
rights in key pairs corresponding to Certificates of Subscribers shall be specified in the
applicable CPS.
9.6. Representations and Warranties
The CA shall make certificates and CRLs available in a repository for subscribers, PKI
administrators and Relying Parties use. The CA does not disclaim any responsibilities required
under this CP. The CA may use a variety of mechanisms for posting information into a
repository as required by this CP. These mechanisms at a minimum shall include:
• All CAs certificates and CRLs shall be placed into a X.500 Directory Server System that
is publicly accessible through the Lightweight Directory Access Protocol (LDAP);
• All CAs‟ certificates and CRLs shall also be available and publicly accessible via the
The RA will abide by all obligations and all stipulations defined in this CP. The RA shall ensure
that the cryptographic module shall not left unattended once the private key is activated, in order
to ensure that unauthorized access to the private key does not occur. RA‟s shall conform to the
stipulations of this CP including:
• Maintaining RA operations in conformance with this CP;
• Including only valid and appropriate information in certificate requests, and maintaining
evidence that due diligence was exercised in validating the information contained in the
certificate;
A Subscriber shall be required to sign a document (e.g., a subscriber agreement) containing the
requirements the Subscriber shall meet respecting protection of the private key and use of the
certificate before being issued the certificate.
In signing the document described above, each Subscriber shall agree to the following:
1. Subscriber shall accurately represent itself in all communications with the PKI
authorities.
2. The data contained in any certificates issued to Subscriber is accurate.
3. The Subscriber shall protect its private keys at all times, in accordance with this policy,
as stipulated in their certificate acceptance agreements, and local procedures.
4. The Subscriber lawfully holds the private key corresponding to public key identified in
the Subscriber‟s certificate.
5. The Subscriber will abide by all the terms, conditions, and restrictions levied on the use
of their private keys and certificates.
6. Subscriber shall promptly notify the appropriate CA upon suspicion of loss or
compromise of their private keys. Such notification shall be made directly or indirectly
through mechanisms consistent with the CA‟s.
9.6.4. Relying Party Representations and Warranties
Parties who rely upon the certificates issued under a policy defined in this document shall:
1. Use the certificate for the purpose for which it was issued, as indicated in the certificate
information (e.g., the key usage extension);
3. Strictly follow all the detailed standards and requirements given by INSA;
4. Strictly abide by the laws and regulations released in relation to what they do;
9.7. Disclaimers of Warranties
To the extent permitted by applicable law and any other related agreements, CAs may disclaim
all warranties (other than any express warranties contained in such agreements or set forth in the
CA‟s).
A Sub-CA or RA shall not be liable for any damages to subscribers, relying parties or any other
b. Expired;
c. Used for unauthorized purposes (for purposes not specified in the Electronic Signature
d. Tampered with;
e. Compromised; or
9.9. Indemnities
Subscribers and relying parties shall agree to indemnify and hold a CA or RA free from any
claims, actions or demands that are caused by the use or publication of a certificate and that
arises from:
a. Any false or misleading statement of fact by the subscriber;
b. Any failure by the subscriber to disclose a material fact, if such omission was made
negligibly or with the intent to deceive;
c. Any failure on the part of the subscriber to protect its private key and/or token if
applicable or to take the precautions necessary to prevent the compromise, disclosure,
loss, modifications or unauthorized use of the subscriber‟s private key; or
d. Any failure on the part of the subscribe to promptly notify the CA or RA of the
compromise, disclosure, loss, modification or unauthorized use of the subscriber‟s
private key once the subscriber has actual or constructive notice of such event.
9.10. Term and Termination
9.10.1. Term
This CP becomes effective upon ratification by INSA. Amendments to this CP become effective
upon ratification by INSA and publication at http://www.insa.gov.et
This CPS shall remain in force until it is amended or replaced by a new version.
Upon termination of this CP, CAs are bound by its terms for all certificates issued for the
remainder of the validity periods of such certificates.
9.11. Individual Notices and Communications with Participants
The Root CA, Sub-CAs, Subscribers, Relying Parties and other participants will use
commercially reasonable methods to communicate with each other.
9.12. Amendments
INSA shall review this at least once every year. Additional reviews may be made at any time at
the discretion of INSA. INSA can recommend amendments or corrections to this CP; such
modifications shall be circulated to the CAs. Comments from the CAs shall be collected and
adjudicated by INSA. INSA shall use commercially reasonable efforts to immediately notify
CAs of changes.
9.12.2. Notification Mechanism and Period
Errors and anticipated changes to this CP resulting from reviews are published online at
http://www.insa.gov.et. The most up to date copy of the CP can be found at http://www.gov.et.
This CP and any subsequent changes shall be made publicly available within seven days of
approval.
9.12.3. Circumstances under Which OID Must be changed
If INSA determines that a change is necessary in the OID corresponding to a Certificate policy,
the amendment shall contain new OIDs for the CPs corresponding to each such Certificate.
Otherwise, amendments shall not require a change in CP OID.
9.13. Dispute Resolution Provisions
Parties are required to notify the Root CA and attempt to resolve disputes directly with the Root
The terms and provisions of this CP shall be interpreted under and governed by applicable
Federal laws of Ethiopia.
9.15. Compliance with Applicable Law
This CP and/or the related CPS and the applicable Subscriber Terms and Conditions represent
the entire agreement between any Subscriber or Relying Party and INSA and shall supersede any
and all prior understandings and representations pertaining to its subject matter. In the event,
however, of a conflict between this CP and/or the related CPS and any other express agreement
between a Subscriber or Relying Party with the Root CA with respect to a Certificate, including
but not limited to a Subscriber Terms and Conditions, such other agreement shall take
precedence.
9.16.2. Assignment
Entities operating under this CP and/or the related CPSs cannot assign their rights or obligations
without the prior written consent of the Root CA.
9.16.3. Severability
If any provision of this CP and/or the related CPS, including limitation of liability clauses, is
found to be invalid or unenforceable, the remainder of this CP and/or the related CPS will be
interpreted in such a way as to realize the original intention of the parties. Each and every
provision of this CP and/or the related CPS that provides for a limitation of liability is intended
to be severable and independent of any other provision and is to be enforced as such.
The waiver or failure to exercise any right provided for in this CP and/or in the related CPS shall
not be deemed a waiver of any further or future right under this CP and/or the related CPS.
9.16.5. Force Majeure
The Ethiopian PKI accepts no liability for any breach of warranty, delay or failure in
performance that results from events beyond its control such as, but not limited to, the following:
a) Acts of God;
a. Acts of War;
b. Acts of Terrorism;
c. Epidemics;
e. Earthquake;
f. Flood;
g. Fire; or
No stipulation.
Authority Key Identifier Mandatory Non critical Issuing CA Subject Key Identifier
Subject Key Identifier Mandatory Non critical Subject Key Identifier
Key usage Mandatory Critical digitalSignature, nonrepudiation
Certificate policies Mandatory Non critical Policy OID, Policy Qualifier
Subject Alternative Name Optional Non critical E=username@domain.com
Basic Constraints Optional Non critical Subject Type=End Entity Path Length Constraint=None
Extended Key Usage Optional Non critical emailProtection
CRL Distribution Points Mandatory Non critical URL pointing to CRL Distribution
Authority Information Access Mandatory Non critical OCSP locator URL, URL pointing to CA Issuer Certificate
X.509 V3 extensions
Mandatory Non critical Issuing CA Subject Key Identifier
Authority Key Identifier
Subject Key Identifier Mandatory Non critical Subject Key Identifier
Key usage Mandatory Critical Keyencipherment; dataencipherment
Certificate policies Mandatory Non critical Policy OID, Policy Qualifier
Subject Alternative Name Optional Non critical E=username@domain.com
Basic Constraints Optional Non critical Subject Type=End Entity Path Length Constraint=None
Extended Key Usage Optional Non critical emailProtection
CRL Distribution Points Mandatory Non critical URL pointing to CRL Distribution
Authority Information Access Mandatory Non critical OCSP locator URL, URL pointing to CA Issuer Certificate
Authority Key Identifier Mandatory Non critical Issuing CA Subject Key Identifier
Subject Key Identifier Mandatory Non critical Subject Key Identifier
Key usage Mandatory Critical digitalSignature, nonrepudiation
Certificate policies Mandatory Non critical Policy OID, Policy Qualifier
Subject Alternative Name Optional Non critical E=username@organization_domain.com
Basic Constraints Optional Non critical Subject Type=End Entity Path Length Constraint=None
Extended Key Usage Optional Non critical emailProtection
CRL Distribution Points Mandatory Non critical URL pointing to CRL Distribution
OCSP locator URL,
Authority Information Access Mandatory Non critical
URL pointing to CA Issuer Certificate
A.7 SSL Certificate Profile
Mandatory/ Critical/
Field Note
Optional Non critical
Version Version 3
Serial Number Minimum 8 Bytes, Maximum 20 Bytes
Issuer Signature Algorithm SHA256WithRSA
CN= Certificate Provider Name, O=Organization,
Issuer Distinguished Name
OU=Organizational Unit, ST=Name of State, C=ET
Validity Period Generalized Time (2 Years)
CN=Fully Qualified Domain Name (FQDN)
OU=Organization Unit Name
Subject Distinguished Name O=Organization Name
ST=Name of State
C=ET
Subject Public Key Information RSA 2048
X.509 V3 extensions
Authority Key Identifier Mandatory Non critical Issuing CA Subject Key Identifier
Subject Key Identifier Mandatory Non critical Subject Key Identifier
Key usage Mandatory Critical digitalSignature, keyEncipherment
Certificate policies Mandatory Non critical Policy OID, Policy Qualifier
Subject Alternative Name Optional Non critical dnsName(s) for server, IP address of the server
Basic Constraints Optional Non critical Subject Type=End Entity Path Length Constraint=None
Extended Key Usage Mandatory Critical serverAuth, clientAuth
CRL Distribution Points Mandatory Non critical URL pointing to CRL Distribution
Authority Information Access Mandatory Non critical OCSP locator URL, URL pointing to CA Issuer Certificate
Mandatory/ Critical/
Field Note
Optional Non critical
Version Version 3
Serial Number Minimum 8 Bytes, Maximum 20 Bytes
Issuer Signature Algorithm SHA256WithRSA
CN= Certificate Provider Name, O=Organization,
Issuer Distinguished Name
OU=Organizational Unit, ST=Name of State, C=ET
Validity Period Generalized Time (2 Years)
Subject Distinguished Name CN=unique identifier
Subject Public Key Information RSA 2048
X.509 V3 extensions
Authority Key Identifier Mandatory Non critical Issuing CA Subject Key Identifier
Subject Key Identifier Mandatory Non critical Subject Key Identifier
Key usage Mandatory Critical digitalSignature, keyEncipherment,dataEncipherment
Certificate policies Mandatory Non critical Policy OID, Policy Qualifier
Basic Constraints Optional Non critical Subject Type=End Entity, Path Length Constraint=None
Extended Key Usage Optional Non critical serverAuth, clientAuth
CRL Distribution Points Mandatory Non critical URL pointing to CRL Distribution
Authority Information Access Mandatory Non critical OCSP locator URL, URL pointing to CA Issuer Certificate
Authority Key Identifier Mandatory Non critical Issuing CA Subject Key Identifier
Subject Key Identifier Mandatory Non critical Subject Key Identifier
Key usage Mandatory Critical digitalSignature
Certificate policies Mandatory Non critical Policy OID, Policy Qualifier
Extended Key Usage Mandatory Critical timestamping
CRL Distribution Points Mandatory Non critical URL pointing to CRL Distribution
Authority Information Access Mandatory Non critical OCSP locator URL, URL pointing to CA Issuer Certificate
Authority Key Identifier Mandatory Non critical Issuing CA Subject Key Identifier
Subject Key Identifier Mandatory Non critical Subject Key Identifier
Key usage Mandatory Critical digitalSignature
Certificate policies Mandatory Non critical Policy OID, Policy Qualifier
Basic Constraints Optional Non critical Subject Type=End Entity, Path Length Constraint=None
Extended Key Usage Mandatory Non critical codeSigning
CRL Distribution Points Mandatory Non critical URL pointing to CRL Distribution
Authority Information Access Mandatory Non critical OCSP locator URL, URL pointing to CA Issuer Certificate
Authority Key Identifier Mandatory Non critical Issuing CA Subject Key Identifier
Subject Key Identifier Mandatory Non critical Subject Key Identifier
Key usage Mandatory Critical digitalSignature
Certificate policies Mandatory Non critical Policy OID, Policy Qualifier
Basic Constraints Optional Non critical Subject Type=End Entity,Path Length Constraint=None
Authority Key Identifier Mandatory Non critical Issuing CA Subject Key Identifier
Subject Key Identifier Mandatory Non critical Subject Key Identifier
Key usage Mandatory Critical digitalSignature,nonRepudiation
Certificate policies Mandatory Non critical Policy OID, Policy Qualifier
Basic Constraints Optional Non critical Subject Type=End Entity,Path Length Constraint=None
Extended Key Usage Optional Non critical MSFT Document Signer, Adobe Document Signer
CRL Distribution Points Mandatory Non critical URL pointing to CRL Distribution
Authority Information Access Mandatory Non critical OCSP locator URL, URL pointing to CA Issuer Certificate
Critical/
Field Non Note
critical
Version Version 2
Issuer Signature Algorithm SHA256WithRSA
Issuer Distinguished Name CN= National Root CA, O=INSA, ST=Name of State, C=ET
thisUpdate Generalized Time
nextUpdate Generalized Time
Revoked certificates list
Field Note
Version V1 (0)
Requester Name DN of the requestor (required)
Request List List of certificates as specified in RFC 2560
Request Extension Value
None None
Request Entry Extension Value
None None