What is a CPS? Certificate Practice Statement Explained

The 30-Second Version

A Certificate Practice Statement (CPS) is a public document that describes exactly how a Certificate Authority operates: how they verify identities, issue certificates, handle revocation, and protect their infrastructure. Every public CA is required to publish one. You've probably never read yours. After Entrust, maybe you should.

But here's what most people miss: CPS documents aren't just for public CAs. If your organization runs any internal Certificate Authority — Microsoft ADCS, EJBCA, AWS Private CA, or anything else — you should have one too.

Watch the Video

What is a CPS?

A Certificate Practice Statement is a detailed document that describes:

Howa CA verifies certificate requests
Whatprocedures they follow for issuance
Whenand how they revoke certificates
Wherethey store keys and how they protect them
Whois responsible for what

Think of it as the CA's operating manual—made public so anyone can verify they're following the rules.

Key Point: Every publicly-trusted CA must publish a CPS. It's not optional. Browser root programs require it. But increasingly, compliance frameworks and audit standards expect the same documentation from enterprise PKI operators too.

CPS vs Certificate Policy (CP)

These terms get confused constantly. Here's the difference:

Document	What It Answers	Who Writes It	Analogy
Certificate Policy (CP)	"What are the rules?"	CA/Browser Forum, root programs, or your organization	The law
Certificate Practice Statement (CPS)	"How do we follow the rules?"	Each individual CA (public or private)	How we comply

Example:

CP (Baseline Requirements): "CAs must revoke compromised certificates within 24 hours"
CPS (Sectigo): "Sectigo will revoke within 24 hours using our internal ticketing system, verified by two operators..."

The CP sets requirements. The CPS explains how a specific CA meets those requirements.

Does Your Organization Need a CPS?

Most people assume CPS documents are only for public CAs like DigiCert or Let's Encrypt. That's wrong. If your organization operates any Certificate Authority — including internal ones — you should have a CP/CPS.

Who Needs CP/CPS Documentation

Enterprise PKI operators

If you're running Microsoft ADCS, EJBCA, or any private CA, you're issuing certificates that people and systems rely on. Without documented policies, there's no governance, no accountability, and no audit trail.

Organizations seeking compliance certifications

WebTrust, ETSI, SOC 2, and ISO 27001 auditors all expect documented certificate policies. Walking into an audit without a CP/CPS is walking in unprepared.

Federal agencies and government contractors

The Federal PKI requires CPS documentation that describes how each CP requirement is fulfilled. NIST SP 800-57 Part 2 explicitly states that any organization employing cryptography needs key management policy and practices documentation.

Healthcare organizations

HIPAA doesn't specifically mandate a CPS, but if you're using certificates for authentication, encryption, or digital signatures in healthcare systems, documented practices are expected during security audits.

Financial services

PCI DSS and banking regulators expect documented controls around cryptographic key management. Your internal CA's CPS is where those controls live.

IoT manufacturers

If you're issuing device certificates at scale, documented issuance, revocation, and key management procedures aren't optional — they're how you demonstrate your supply chain is trustworthy.

The Numbers Tell the Story

The gap between "should have PKI governance" and "actually has it" is staggering:

60%

of organizations either have no strategy for managing cryptography and machine identities (18%) or only a limited strategy applied to certain use cases (42%)

71%

of organizations don't know how many keys and certificates they have

74%

of organizations say digital certificates have caused unanticipated downtime or outages

1 in 3

organizations report having a mature cryptographic center of excellence to support enterprise-wide strategy

45%

have sufficient staff dedicated to PKI deployment

81K+

internally trusted certificates managed by the average organization

Sources: Keyfactor/Ponemon Institute (2019, 2021), Keyfactor 2024 PKI & Digital Trust Report

Microsoft's own PKI documentation confirms the problem, acknowledging that it is "quite common to delay creating a CP/CPS until after some CAs are already deployed in the environment" and calling out "a common error for organizations during PKI solutions deployment is the lack of PKI governance or oversight."

Even AWS recommends in their Private CA best practices that organizations document their CA operations in CP and CPS documents following the RFC 3647 framework.

Translation: Most organizations running internal CAs are operating without the governance documentation that auditors, regulators, and security best practices require.

Ready to fix your PKI governance gap?

Our Compliance-in-a-Box package includes four PKI compliance document templates — Certificate Policy, Certificate Practice Statement, Key Ceremony Script, and Audit Checklist — all structured per RFC 3647 and ready to customize for your organization. Stop going into audits empty-handed.

The RFC 3647 Framework

All CPS documents follow the same structure, defined by RFC 3647. This makes them comparable across CAs — whether public or private, cloud-hosted or on-premises.

Section	What It Covers	Why You Care
1. Introduction	Scope, participants, certificate types	What certificates this CPS covers
2. Publication & Repositories	Where to find CRLs, OCSP, certificates	Troubleshooting revocation issues
3. Identification & Authentication	How they verify you own a domain/org	Understanding validation requirements
4. Certificate Lifecycle ⭐	Issuance, renewal, revocation procedures	Your rights and obligations
5. Facility & Management Controls	Physical security, personnel	CA's operational security
6. Technical Security Controls	Key management, algorithms, HSMs	Cryptographic standards
7. Certificate & CRL Profiles	What's in the certificates they issue	Technical certificate details
8. Compliance Audit	Who audits them and how often	CA accountability
9. Other Business & Legal	Warranties, liability, disputes	What happens when things go wrong

Pro tip: If you only read one section, make it Section 4 (Certificate Lifecycle). It covers issuance, renewal, and revocation—the stuff that directly affects you.

For enterprise PKI operators: The beauty of RFC 3647 is that it works for any CA. You don't need to invent a structure from scratch — the framework gives you a complete outline of everything your CP/CPS should cover.

Key Sections Every Certificate Buyer Should Read

You don't need to read all 100+ pages. Focus on these:

Section 3.2: Validation Procedures

How does your CA verify domain ownership? Understanding this helps when validation fails.

Common DCV Methods:

• Email to admin@, webmaster@, hostmaster@, postmaster@
• DNS TXT record with random value
• HTTP file at /.well-known/pki-validation/
• CNAME record pointing to CA

Section 4.9: Revocation

When can/must your CA revoke your certificate? Key timelines:

Scenario	Required Timeframe
Key compromise	Within 24 hours
Certificate obtained by fraud	Within 24 hours
CA discovers mis-issuance	Within 24 hours
Subscriber requests revocation	Within 24 hours
Subscriber breaches agreement	Within 5 days
Domain validation no longer valid	Within 5 days

Your CA can revoke your certificate without your permission if they discover compliance issues.

Section 9.6: Subscriber Obligations

What you agreed to (whether you read it or not):

• Private key has never been compromised or shared
• All certificate information is accurate
• You'll notify CA immediately of any key compromise
• You won't use the certificate for prohibited purposes
• You'll stop using it immediately upon revocation or expiration

Section 9.7-9.8: Warranties and Liability

What your CA is (and isn't) responsible for:

CAs typically warrant:

• Certificate info was verified per their CPS
• Certificate complies with Baseline Requirements
• Revocation services will be available

CAs typically DON'T warrant:

• That your software correctly validates certs
• That you'll use the certificate properly
• Anything about your infrastructure

Liability is usually capped at the certificate purchase price or a fixed amount. Don't expect to sue your CA for millions if something goes wrong.

How CPS Relates to CA/Browser Forum Requirements

The hierarchy works like this:

Browser Root Programs (Chrome, Mozilla, Apple, Microsoft)

↓ require compliance with

CA/Browser Forum Baseline Requirements

↓ which CAs implement via

Certificate Practice Statement (CPS)

↓ which governs

Your Certificate

Key insight: The Baseline Requirements are the minimum. A CA's CPS can be stricter, but never more lenient. If a CA's CPS contradicts the Baseline Requirements, the BRs win.

Where to Find Your CA's CPS

Every CA publishes their CPS. Common locations:

CA	CPS Location
DigiCert	digicert.com/legal-repository
Sectigo	sectigo.com/legal
Let's Encrypt	letsencrypt.org/repository
GlobalSign	globalsign.com/repository
Entrust	entrust.com/legal-compliance
GoDaddy	godaddy.com/legal/agreements

Pro tip: Most CAs embed a link to their CPS in the certificate itself, in the "Certificate Policies" extension. This URL points to the exact CPS version that governed that certificate's issuance.

What Happens When CAs Violate Their CPS

This is where it gets real. CAs that don't follow their CPS (or the Baseline Requirements) face consequences:

Browser Response Options

Warning - CA must explain and remediate
Reduced trust - Shorter certificate validity, additional audits
Partial distrust - New certificates not trusted
Full distrust - CA removed from root stores

Recent Examples

CA	Year	What Happened	Consequence
Entrust	2024	Pattern of compliance failures, 26K+ mis-issued EV certs	Distrusted by Chrome, Safari, Firefox
Symantec	2017	Mass mis-issuance, poor controls	Sold PKI business to DigiCert
WoSign/StartCom	2016	Backdated certificates, lied to auditors	Fully distrusted
DigiNotar	2011	Hacked, issued fake Google certs	Bankrupt within weeks

The lesson: CPS compliance isn't optional. Browsers enforce it, and they don't hesitate to remove CAs that can't follow the rules.

→ See our PKI Disasters Hall of Fame for the full stories

Why This Matters for Your Organization

1. Know Your Obligations

You agreed to subscriber obligations when you bought your certificate. Violating them (even accidentally) gives your CA grounds to revoke.

2. Understand Revocation Risk

Your CA can revoke certificates for compliance reasons with minimal notice. If you're not monitoring, you might not know until users start seeing errors.

3. Evaluate CA Risk

A CA with frequent CCADB incidents is a CA at risk of distrust. Reading their CPS (and watching their incident history) helps you assess this risk.

4. Plan for CA Transitions

Understanding that all CPS documents follow RFC 3647 means switching CAs is easier—the structure is the same, even if details differ.

5. Document Your Own PKI Governance

If you're operating internal CAs, the same RFC 3647 framework that governs public CAs applies to you. The research is clear:

• 71% of organizations don't know how many certificates they have
• 56% have experienced outages from certificate expiration or misconfiguration
• Only 45% have sufficient staff dedicated to PKI

These aren't just numbers — they're symptoms of missing governance. A CP/CPS forces you to answer the hard questions: Who can issue certificates? What happens when a key is compromised? How do you handle revocation?

What is a Certificate Practice Statement (CPS)?