Key pairs for the CESNET CA are generated exclusively by authorized CESNET CA personnel acting in the role of CA.
End entities' key pairs are always generated by their application during the requesting process. They are never generated or stored by the CESNET CA.
Private keys are never delivered. End entities are required to generate their own key pairs.
The CESNET CA SHALL accept certificate requests in any of the formats:
PKCS#10 request format.(See RFC 2314).
PEM encoded certificate request (See RFC 1424).
Netscape Signed Public Key And Challenge (SPKAC) format.
The preferred transport method for certification requests is s SSL protected HTTP.
CA public keys are published on the CESNET CA certificate repository and the CESNET CA WWW site. (See Section 2.6).
The CESNET CA uses RSA public key algorithm.
The CA private key MUST be of 2048 bit key size.
The RA private key MUST be of 2048 bit key size.
All other private keys MUST be of at least 1024 bit key size.
Public key parameters are generated by the relevant applications.
The CESNET CA does not require checking of the quality of the public keys parameters.
The CESNET CA keys are generated in software.
The subscribers keys MAY be generated in software or hardware.
The X.509 v3 keyUsage extension field is set according to the requirements stated in the relevant CP.
The CESNET CA does not claim that the cryptographic module used is compliant with any pre-determined standard.
The CESNET CA does not use multi-person control of keys.
The CESNET CA private keys are not given in escrow. The CESNET CA is also not available for accepting escrow copies of keys of other parties.
The CESNET CA private keys are backup protected. The backup copies encrypted with 3DES or AES are securely stored off-site.
The CESNET CA private keys are archived on encrypted media.
All private keys managed by the CESNET CA are only stored in encrypted form.
Every activation of a CESNET CA private key MUST require entering of activating data (passphrase). The passphrase MUST be known to authorized CESNET CA personnel only.
Cryptographic modules which have been activated MUST NOT be left unattended. They MUST be deactivated after use, e.g. via logout procedure.
The CESNET CA private keys are archived. After the retention period (see Section 4.6.2) the archive media SHALL be destroyed.
Private keys on magnetic disk can be removed by overwriting the key files.
Public keys are archived as part of the certificate archival.
The validity period for issued certificates is set according to the requirements stated in the relevant CP.
The passphrases used by the CESNET CA are at least 15 characters long.
The CESNET CA passphrases MUST be known to authorized CESNET CA personnel only. The passphrases MUST be used only in secure physic environment.
No stipulation.
The CESNET CA computer system MUST satisfy following requirements:
The CESNET CA is run on dedicated computer system.
Only the software needed to perform the CA tasks is installed on the system.
Access to the operating system and the CA software is allowed only to the authorized CESNET CA personnel.
Physical access to the system is allowed only to the authorized CESNET CA personnel.
All security related events are audited.
The desired functionality MAY be provided by the operating system, the CA software, physical protection or by a combination of those.
No formal computer security rating is required.
The development of the CESNET CA software is carried in a controlled secure environment.
Production and development environment are totally separated.
The logs, the configuration files and the entire file system of the CESNET CA computer systems are regularly checked.
No formal life cycle security rating is required.
The CESNET CA computer system SHALL be always kept off-line.
No stipulation.