# Policy and Governance Policy and governance provide the structural and assurance framework that ensures certificates and cryptographic keys are issued, managed, and used in a secure, compliant, and auditable way. As certificates become central to identity, access control, and Zero Trust security models, strong governance isn't optional - it defines *who can issue trust, under what conditions, and with what level of assurance*. #### Certificate Policies (CP) and Certification Practice Statements (CPS) Two foundational documents underpin certificate governance: **Certificate Policy (CP)** A CP defines *what* assurance level a certificate provides and *for what purpose* it may be used. It sets out requirements like identity validation strength, key protection expectations, certificate usage constraints, and lifecycle rules. Think of it as the contract that tells relying parties what they're trusting. **Certification Practice Statement (CPS)** A CPS describes *how* a Certificate Authority implements and enforces the requirements in the CP. It documents operational practices including identity verification, key management, certificate issuance, revocation, audits, and incident handling. Together, CP and CPS create transparency and trust by clearly stating the rules under which certificates are issued and managed. #### Governance in WebTrust and Audited Environments Publicly trusted Certificate Authorities operate within independently audited environments to ensure compliance with global trust standards. WebTrust Audits cover: • WebTrust for Certification Authorities • WebTrust for CA – Extended Validation • WebTrust for TLS Baseline Requirements • WebTrust for S/MIME Baseline Requirements • WebTrust for Code Signing • WebTrust for Network Security These audits verify that the CA's operations align with its CP/CPS, CA/Browser Forum requirements, and strong security controls across issuance, revocation, and infrastructure management. ETSI Audits are particularly relevant for CAs operating in European and regulated environments: • ETSI EN 319 411-1 (General Policy Requirements for Trust Service Providers) • ETSI EN 319 411-2 (Qualified Certificates) • ETSI EN 319 401 (General Policy Requirements for Trust Service Providers) ETSI audits matter especially for Qualified Trust Service Providers (QTSPs) operating under eIDAS frameworks, and they serve as an alternative or complementary assurance model to WebTrust. Completing these audits is typically required for inclusion in major browser and operating system trust stores. The tricky part here is that governance in audited environments extends well beyond technology - it reaches into documented processes, role separation, incident response, infrastructure security, logging, and continuous compliance monitoring. That's a significant operational commitment. \#### Policy and Governance in CERTInext CERTInext operationalizes certificate governance by translating policy requirements into enforceable, automated controls across the certificate lifecycle. Key governance capabilities include: Policy Enforcement - Certificate profiles aligned with CP/CPS requirements control allowed algorithms, key sizes, validity periods, and usage constraints. For instance, if your CP prohibits 1024-bit RSA keys, the profile simply won't issue them. Role-Based Access and Approval Workflows - Separation of duties is enforced through role-based access control (RBAC) and configurable approval flows for certificate requests and lifecycle actions. Not everyone who can view a certificate can revoke one. Audit Trails and Accountability - Detailed logs capture certificate issuance, renewal, revocation, approvals, and administrative actions. This supports both internal investigations and external audits. Trust Domain Governance - You can manage and govern certificates across public trust (including WebTrust-audited public CAs) and private trust environments from a single platform. Compliance Readiness - Centralized visibility, reporting, and evidence aligned with security and compliance frameworks means you're not scrambling to collect evidence when an audit arrives. \#### Why Policy and Governance Matter Without strong governance, certificate environments fragment. Inconsistency creeps in. Trust failures, outages, and regulatory non-compliance follow. Policy-driven governance ensures that certificates are issued only for approved purposes, cryptographic standards stay current, trust anchors and CAs are used appropriately, and every action leaves an auditable trail. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.certinext.io/documentation/getting-started/key-concepts-and-terminology/policy-and-governance.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.