Your Auditor Just Asked for a CP/CPS. Now What?
Compliance-in-a-Box gives you audit-ready PKI documentation templates with the operational guidance that RFC 3647 forgot to include.
Instant download. 4 professional templates. Remove the guidance boxes and make it yours.
Most Organizations Running Internal CAs Have Zero Documented Governance
The research is clear — and the consequences are getting worse.
60%
of organizations have no comprehensive strategy for managing cryptography and machine identities
Keyfactor/Ponemon 2021
71%
don't know how many keys and certificates they have
Keyfactor/Ponemon 2019
81K+
internally trusted certificates managed by the average organization
Keyfactor 2024 PKI Report
Only ⅓
have a mature cryptographic center of excellence
Keyfactor/Ponemon 2021
If you're running Microsoft ADCS, EJBCA, AWS Private CA, or any internal Certificate Authority, you're issuing certificates that your users, devices, and systems depend on. Wi-Fi authentication. VPN access. Code signing. Smart card login. Internal TLS.
Microsoft's own PKI documentation acknowledges it is "quite common to delay creating a CP/CPS until after some CAs are already deployed." Translation: most enterprise PKI deployments are running without the governance documentation that auditors, regulators, and security best practices require.
A Certificate Policy (CP) and Certificate Practice Statement (CPS) aren't just for public CAs like DigiCert or Let's Encrypt. If your organization operates any Certificate Authority, you need documented governance — and the RFC 3647 framework gives you the structure to build it.
Who Needs This
Enterprise PKI Operators
Running ADCS, EJBCA, or any private CA without documented policies means no governance, no accountability, no audit trail.
Financial Services
PCI DSS and banking regulators expect documented cryptographic key management procedures. Your internal CA's CPS is where those controls live.
Healthcare
Using certificates for EHR authentication or clinical systems? HIPAA security audits expect documented practices governing those credentials.
Government & Contractors
Federal PKI requires CPS documentation. NIST SP 800-57 mandates key management policy for any organization using cryptography.
Organizations Facing Audits
SOC 2, ISO 27001, WebTrust — auditors expect RFC 3647-structured documentation. Walking in without a CP/CPS means audit findings.
IoT Manufacturers
Issuing device certificates at scale? Documented issuance, revocation, and key management is how you prove your supply chain is trustworthy.
Sources: Keyfactor/Ponemon Institute (2019, 2021), Keyfactor/Vanson Bourne 2024 PKI & Digital Trust Report, Microsoft Learn PKI documentation, AWS Private CA Best Practices.
The clock is ticking on PKI documentation.
The CA/Browser Forum has voted to reduce maximum public certificate lifetimes:
March 2026
200-day maximum certificate lifetime
March 2027
100-day maximum certificate lifetime
March 2029
47-day maximum certificate lifetime
Shorter certificates mean more automation, more frequent renewals, and more documentation requirements. Organizations with documented PKI programs will adapt. Those running on tribal knowledge will scramble.
If you don't have a CP/CPS in place, the time to build that foundation is before shorter lifetimes expose every gap.
The PKI Documentation Problem
The RFC Approach
RFC 3647 gives you an 80-page framework written by committee in IETF prose. It tells you what sections to include but not what to actually write. Most people open it, feel their eyes glaze over, and close it.
The AI Approach
You could prompt ChatGPT to "write me a CP/CPS." It will produce something that looks right but contains generic advice no practitioner has validated. You won't know what's wrong until an auditor tells you.
The Consultant Approach
You could hire a PKI consultant to write it for you. Budget $15,000–$30,000 and 2–3 months. For a Fortune 500 with a complex multi-CA hierarchy, that makes sense. For everyone else, it's overkill.
Compliance-in-a-Box is the middle ground: practitioner-validated templates with opinionated operational guidance, at a price that doesn't require a purchase order.
What You Get
CP/CPS Template
Certificate Policy & Certification Practice Statement
- Complete RFC 3647 framework — all 9 sections, ~100 subsections
- Red bracketed placeholders showing exactly what to fill in
- Teal guidance boxes with operational advice: what auditors flag, what breaks at 2 AM, what decisions you'll regret in 3 years
- Pre-built tables for key sizes, certificate lifetimes, and document metadata
Key Ceremony Script
Root CA Key Generation Ceremony Procedure
- Step-by-step numbered procedure with checkbox format
- Pre-ceremony checklist, equipment list, and role assignments
- Verification checkpoints at every critical gate
- Key Share Holder log, Certificate Verification Record, and Exception Log
- HSM command reference appendix (Thales Luna, Entrust nShield, Microsoft ADCS, OpenSSL)
Naming Convention Guide
PKI Naming Quick Reference
- Naming patterns for CAs, TLS certs, user certs, device certs, and infrastructure URLs
- Good and bad examples with explanations of WHY each bad example causes problems
- ADCS-specific configuration commands for CDP and AIA URLs
- Master quick reference table (the "tape to your monitor" page)
- Fill-in-the-blank worksheet for your organization
Quick-Start Guide
Your "Open This First" Roadmap
- Recommended order of operations across 3 phases (3–4 weeks)
- Time estimates for each task (15–25 hours total)
- Four common starting scenarios with different priority orders
- Natural guidance toward FixMyCert's additional services when you need more help
This Is What Makes It Worth $497
Real operational guidance embedded throughout every document.
From CP/CPS, Section 1
"This section sets the stage. Auditors read this first to understand scope, and they will hold you to what you write here. The most common mistake: writing aspirational language about what you plan to do instead of what you actually do today. If your Root CA is an ADCS server under someone's desk (it happens), do not describe a hardened offline facility. Write what is true, then fix the gaps."
From CP/CPS, Section 4 — ACME
"Do the math: if you have 500 TLS certificates and each manual renewal takes 30 minutes, that is 250 hours per cycle. At 47-day lifetimes, that is roughly 2,000 hours per year — a full-time person doing nothing but renewals. ACME reduces this to zero ongoing effort after initial setup."
From Naming Convention Guide — CDP
"ALWAYS use a dedicated DNS alias (pki.acme.com, crl.acme.com) for CDP and AIA URLs, never the CA server's hostname. This DNS alias can be pointed to any web server, load balancer, or CDN. When you migrate to a new server, you update the DNS record and every existing certificate still works."
35 guidance boxes across 4 documents. Each one contains advice that would take you months of operational experience to learn the hard way.
Know Where the Landmines Are Before You Start Writing
Sections 3, 4, and 6 account for the majority of audit findings.
| Risk | Section | Key Warning |
|---|---|---|
| CRITICAL | 3. Identification & Authentication | DCV reuse dropping to 10 days by March 2029 |
| CRITICAL | 4. Certificate Lifecycle Operations | SC-081 deadlines. #1 audit finding industry-wide |
| CRITICAL | 6. Technical Security Controls | Algorithm choices last decades. PQC planning needed now |
| HIGH | 5. Facility & Operational Controls | Orgs have controls but can't prove it |
| HIGH | 8. Compliance Audit | Vague language here undermines entire document |
The full CP/CPS template includes a color-coded Section Danger Map with detailed guidance for every section.
Built For the People Who Build PKI — and the People Who Approve the Budget
If you're the one doing the work
- The PKI Admin who just got told "we need documentation before the audit"
- The Security Engineer building a new CA hierarchy and doing it right the first time
- The DevOps Lead whose team manages certificates but has zero governance documentation
- The Consultant who needs a professional starting point for client PKI engagements
If someone just forwarded you this link
- The IT Director who needs to show the auditor documented PKI governance and doesn't have six months to build it from scratch
- The CISO who knows the PKI has gaps but needs a pragmatic starting point — not a $30K consulting engagement
- The Compliance Manager who keeps getting asked "where's the certificate policy?" and needs a real answer this quarter
- The Engineering Manager whose direct report just said "I found exactly what we need" — this is why
$497 is below most corporate purchasing thresholds. No PO required. No procurement cycle. Expense it and move on.
One Package. Everything You Need.
$497
One-time purchase. Instant download.
- CP/CPS Template (RFC 3647 compliant)
- Key Ceremony Script (step-by-step with HSM commands)
- Naming Convention Guide (with ADCS configuration)
- Quick-Start Guide (3-phase implementation roadmap)
- Word format (.docx) — edit in Word, Google Docs, or LibreOffice
- Lifetime access to purchased version
Secure checkout via Stripe. Download link delivered instantly.
Need More Than Templates?
Compliance-in-a-Box
$497
For teams that can DIY with a head start
- 4 professional templates
- Operational guidance built in
- Self-paced implementation
90-Day Readiness Sprint
$1,500
For teams that want expert eyes on their PKI
- Everything in Compliance-in-a-Box
- 60-minute discovery call
- Red / Yellow / Green gap assessment
- Prioritized remediation roadmap
enterprise@fixmycert.com
FixMyCert Enterprise
Custom
For organizations that need a branded compliance portal
- Multi-tenant platform with your branding
- Full FixMyCert content library customized
- Admin panels and team management
enterprise@fixmycert.com
Common Questions
Not ready to buy? Preview Section 1 free.
See the CP/CPS template quality and guidance boxes before you commit.
Stop Staring at a Blank Document
Your auditor isn't going to wait. Get audit-ready PKI documentation today.
Secure checkout via Stripe. Instant download after purchase.