Certificate tools

CPS Builder

Answer a few questions and generate an RFC 3647-structured Certification Practice Statement template

1
2
3
4
5
6

Organization

Step 1 of 6

What is a CPS?

A Certification Practice Statement is the operational rulebook of a certificate authority: it tells subscribers, relying parties, and auditors exactly how the CA validates identities, issues and revokes certificates, and protects its keys. It sits alongside — and is often confused with — the Certificate Policy.

CP vs. CPS

A Certificate Policy (CP) states what requirements a certificate must satisfy to be fit for a purpose. A CPS states how a specific CA actually implements those requirements in its day-to-day operations. One CP can be implemented by many CAs, each with its own CPS.

Why the RFC 3647 outline?

RFC 3647 defines a fixed 9-section framework that virtually every CP and CPS follows. Because the numbering is identical across documents, auditors and relying parties can compare two CAs section-by-section. That is also why sections that do not apply say "No stipulation." instead of being deleted.

Who needs one?

Not just public CAs. Internal PKIs benefit from a CPS as the reference for operations and incident response; partners integrating with your PKI will ask for it before trusting your root; and any WebTrust, ETSI, or internal audit will use it as the yardstick your practices are measured against.