Certificate Policy (CP)
Alliance for Empowerment Inc. — Multi-Organization PKI — RFC 3647 Framework
- Document ID
- A4E-PKI-CP-001
- Version
- 1.0 — Production Release
- Effective Date
- 2026-05-01
- Review Date
- 2027-05-01
- Classification
- Public (Internal Network)
- Policy Authority
- Brian Vicente, Network Coordinator
- OID Arc
- 1.3.6.1.4.1.65571
- Hosted At
- http://10.0.1.232/pki/docs/cp.html
ℹ
This CP is structured per RFC 3647 and aligned with NIST SP 800-57 Rev.6, NIST SP 800-131A Rev.3, FIPS 203/204/205, SP 800-232, ISC2 CCSP Domain 3, CompTIA Security+/CySA+, CA/Browser Forum BR, and ITU-T X.690 ASN.1 DER encoding rules. The PKI is currently an internal trust hierarchy; the path to public trust is described in Section 11.
1. Introduction
1.1 Overview
This Certificate Policy (CP) defines the rules, assurance levels, and obligations governing the Alliance for Empowerment Multi-Organization PKI. It covers all certificates issued to, or on behalf of, Alliance for Empowerment Inc. (Alliance), Able-2 Enhancing Potential Inc. (Able-2), and Capabilities Inc. (Capabilities). The PKI operates as a private, internal three-tier hierarchy. One offline Root CA serves as the single trust anchor. Three Enterprise Issuing CAs operate online, one per organization. step-ca instances serve as Registration Authorities (RAs) and hold no CA private keys.
1.2 Policy OID Identification
| Policy | OID | Scope | CPS URL |
|---|
| Multi-Org Root Policy | 1.3.6.1.4.1.65571.2.1 | All three orgs | pki.alliance.internal/cps/multi-org-cps.html |
| Alliance Policy | 1.3.6.1.4.1.65571.2.2 | Alliance for Empowerment | pki.alliance.internal/cps/alliance-cps.html |
| Able-2 Policy | 1.3.6.1.4.1.65571.2.3 | Able-2 Enhancing Potential | pki.able2.internal/cps/able2-cps.html |
| Capabilities Policy | 1.3.6.1.4.1.65571.2.4 | Capabilities Inc. | pki.capabilities.internal/cps/capabilities-cps.html |
1.3 PKI Participants
| Role | Host | IP | Org |
|---|
| Offline Root CA | PKI-ROOT | 10.0.1.244 | Shared (air-gapped) |
| Alliance Issuing CA | PKI-ALLIANCE | 10.0.1.246 | Alliance |
| Able-2 Issuing CA | PKI-ABLE2 | 10.0.1.6 | Able-2 |
| Capabilities Issuing CA | PKI-CAPE | 10.0.1.249 | Capabilities |
| Alliance RA (step-ca) | step-alliance.alliance.internal | 10.0.1.247 | Alliance |
| Able-2 RA (step-ca) | step-able2.able2.internal | 10.0.1.9 | Able-2 |
| Capabilities RA (step-ca) | step-cape.capabilities.internal | 10.0.1.250 | Capabilities |
| PKI Web / CRL / OCSP / Docs | the-orc | 10.0.1.232 | Shared |
| Alliance DC | alliance-dc01.alliance.internal | 10.0.1.245 | Alliance |
| Able-2 DC | able2-dc01.able2.internal | 10.0.1.5 | Able-2 |
| Capabilities DC | cape-dc01.capabilities.internal | 10.0.1.248 | Capabilities |
1.4 Certificate Usage
| Certificate Type | EKU OID | Permitted Use |
|---|
| TLS Server | 1.3.6.1.5.5.7.3.1 | HTTPS, LDAPS, RDP, internal services |
| TLS Client | 1.3.6.1.5.5.7.3.2 | VPN, 802.1X, user auth, device auth |
| S/MIME | 1.3.6.1.5.5.7.3.4 | Email signing and encryption |
| Code Signing | 1.3.6.1.5.5.7.3.3 | Internal scripts, PowerShell, applications |
| OCSP Signing | 1.3.6.1.5.5.7.3.9 | OCSP responder on the-orc |
| Smart Card Logon | 1.3.6.1.4.1.311.20.2.2 | Windows domain authentication |
| 802.1X / Wi-Fi | 1.3.6.1.5.5.7.3.1+.3.2 | UniFi WPA2-Enterprise |
| Device Identity | 1.3.6.1.5.5.7.3.2 | Intune-managed device auth |
⚠Prohibited Uses: Certificates issued under this CP SHALL NOT be used for public Internet TLS prior to public trust program inclusion and CT log submission. The Root CA SHALL NOT issue end-entity certificates directly. Certificates SHALL NOT be used outside NameConstraints permitted subtrees.
2. Publication and Repository
| Resource | Alliance URL | Able-2 URL | Capabilities URL |
|---|
| CP / CPS | pki.alliance.internal/cps/ | pki.able2.internal/cps/ | pki.capabilities.internal/cps/ |
| Root CRL | pki.alliance.internal/CRL/root.crl | pki.able2.internal/CRL/root.crl | pki.capabilities.internal/CRL/root.crl |
| Issuing CRL | pki.alliance.internal/CRL/alliance-issuing.crl | pki.able2.internal/CRL/able2-issuing.crl | pki.capabilities.internal/CRL/cape-issuing.crl |
| OCSP | pki.alliance.internal/OCSP | pki.able2.internal/OCSP | pki.capabilities.internal/OCSP |
| Root Cert | Available at all three /Certs/Alliance-Root-CA.crt endpoints |
- CRLs published within 24 hours of any revocation; Root CRL on 26-week schedule with 2-week overlap; issuing CA CRLs on 2-week schedule with 12-hour overlap
- CP/CPS documents updated within 30 days of any material policy change
- Availability target: 99.9% uptime for all HTTP endpoints on the-orc
3. Identification and Authentication
3.1 Distinguished Name Conventions
All certificates comply with RFC 5280 §4.1.2.6. SAN is mandatory for all TLS certificates per RFC 5280 §4.2.1.6 and CA/B Forum BR §7.1.4.2. CN alone is insufficient.
| Field | Root CA | Issuing CA | End-Entity |
|---|
| CN | Alliance Multi-Org Root CA | [Org] Issuing CA | FQDN or UPN/email |
| O | Alliance for Empowerment Inc. | Alliance for Empowerment Inc. | Issuing org legal name |
| L/ST/C | Pine City / New York / US | Pine City / New York / US | Optional / Optional / US |
3.2 NameConstraints Permitted Subtrees
| Organization | DNS Permitted | Email Permitted |
|---|
| Alliance | .alliance.internal • .wearealliance.org • .o365.wearealliance.org | @wearealliance.org |
| Able-2 | .able2.internal • .able-2.org | @able-2.org |
| Capabilities | .capabilities.internal • .capabilities.org | @capabilities.org |
| Excluded (ALL orgs) | .onmicrosoft.com • .mail.onmicrosoft.com | Microsoft-managed; not under org control |
4. Certificate Lifecycle Requirements
| Certificate Type | Maximum Validity | Compliance Basis |
|---|
| Root CA | 20 years | NIST SP 800-57 Rev.6 §5.3.6 |
| Issuing CA | 10 years | NIST SP 800-57 Rev.6 (½ root lifetime) |
| TLS Server / Client | 2 years | NIST SP 800-57, CA/B Forum BR |
| S/MIME / Code Signing | 2 years | NIST SP 800-57 |
| ACME-issued (step-ca) | 90 days | RFC 8555 best practice |
| SCEP-issued (step-ca) | 1 year | RFC 8894 |
| OCSP Signing | 2 years | RFC 6960 |
| Revocation Reason | CRLReason Code | Response Timeline |
|---|
| keyCompromise | 1 | Within 24 hours |
| affiliationChanged / superseded / cessationOfOperation | 3,4,5 | Within 5 business days |
| Unspecified | 0 | Within 5 business days |
5. Physical, Procedural, and Personnel Controls
- Root CA physical: PKI-ROOT is air-gapped; NIC disconnected at all times except signing ceremony; housed in locked server room; accessible only via XenCenter/Hyper-V console by PKI admin
- Key ceremony: Initiated by PKI administrator; all CSRs reviewed before submission; NIC attached only during ceremony; all events logged with timestamps and serial numbers; VM shut down after ceremony
- Issuing CAs: Online but hardened; RDP restricted to PKI admin; Atera RMM monitoring on certsvc; template objects on PKI-ALLIANCE, not on Root CA
- Personnel: PKI admin access exclusive to Network Coordinator; no shared credentials; all CA actions logged via Windows Security Event Log (Event IDs 4886/4887/4888/4890)
6. Technical Security Controls
| CA Tier | Algorithm | Key Size | Hash | Standard |
|---|
| Root CA | RSA | 4096-bit | SHA-256 | NIST SP 800-57 Rev.6, FIPS 186-5 |
| Issuing CAs | RSA | 4096-bit | SHA-256 | NIST SP 800-57 Rev.6, FIPS 186-5 |
| End-Entity (Phase 1) | RSA or ECDSA | 2048+ / P-256 / P-384 | SHA-256 | NIST SP 800-57 Rev.6 |
| End-Entity (Phase 2+) | ML-DSA / SLH-DSA (hybrid) | Per FIPS 204/205 | SHA-3 | FIPS 204, 205 |
⚠P-521 is prohibited for TLS Server certificates. Chrome and Edge do not support ECDSA P-521. All browser-facing TLS certificates MUST use P-256, P-384, or RSA-2048+. P-521 may only be used for non-browser-facing certificates where client compatibility has been explicitly verified.
7. Certificate and CRL Profiles
7.1 Root CA Profile
| Extension | Value | Critical |
|---|
| Basic Constraints | CA=TRUE, PathLength=2 | YES |
| Key Usage | keyCertSign, cRLSign | YES |
| Name Constraints | Permitted subtrees per Section 3.2 | YES |
| Certificate Policies | OIDs 1.3.6.1.4.1.65571.2.1–.2.4 + CPS URLs | NO |
| CDP / AIA | Absent (offline self-signed root — RFC 5280 compliant) | — |
7.2 Issuing CA Profile
| Extension | Value | Critical |
|---|
| Basic Constraints | CA=TRUE, PathLength=0 | YES |
| Key Usage | digitalSignature, keyCertSign, cRLSign (DER: 03 02 01 86) | YES |
| CDP | http://pki.[org].internal/CRL/[org]-issuing.crl | NO |
| AIA OCSP | http://pki.[org].internal/OCSP | NO |
| AIA CA Issuer | http://pki.[org].internal/Certs/Alliance-Root-CA.crt | NO |
ℹdigitalSignature in issuing CA KeyUsage: RFC 5280 §4.2.1.3 permits digitalSignature alongside keyCertSign and cRLSign when the CA key is also used for OCSP signing or RA auth. Required for step-ca RA compatibility. Omitting it causes ASN1 bad tag value errors.
8. Compliance and Audit
| Standard | Scope | Status |
|---|
| NIST SP 800-57 Rev.6 | Key management lifecycle | ✓ Compliant |
| NIST SP 800-131A Rev.3 | Algorithm transition | ✓ Compliant |
| FIPS 203 (ML-KEM) | Post-quantum KEM | ▶ Roadmap Phase 2 |
| FIPS 204 (ML-DSA) | Post-quantum signatures | ▶ Roadmap Phase 2 |
| FIPS 205 (SLH-DSA) | Hash-based signatures | ▶ Roadmap Phase 2 |
| SP 800-232 (Ascon) | Lightweight AEAD — IoT/edge | ▶ Roadmap Phase 3 |
| RFC 5280 | X.509 certificate profile | ✓ Compliant |
| RFC 3647 | CP/CPS framework | ✓ This document |
| RFC 9618 | X.509 policy validation | ✓ Compliant |
| RFC 8555 / ACME | Automated cert management | ✓ step-ca |
| RFC 8894 / SCEP | Device enrollment | ✓ step-ca |
| ITU-T X.690 | ASN.1 DER encoding | ✓ Compliant |
| ISC2 CCSP Domain 3 | PKI & cryptography | ✓ Compliant |
| CompTIA Security+ / CySA+ | Security baseline | ✓ Compliant |
| CA/B Forum BR | Baseline Requirements (internal ref) | ✓ Applied |
| FIPS 140-3 | Module validation | ▶ Planned — HSM Phase 2 |
| RFC 9162 / CT Logs | Certificate Transparency | ▶ Public trust phase only |
9. Business and Legal Matters
- Policy authority: Brian Vicente, Network Coordinator, Alliance for Empowerment Inc., Pine City, New York
- Contact: pki-admin@wearealliance.org
- Inter-org responsibilities: Each issuing CA is operated by its respective org; Root CA is operated by Alliance on behalf of all three organizations
- Liability: This PKI is operated for internal organizational purposes only. No warranties are expressed or implied for relying parties outside the three organizations
- Privacy: Subject information is limited to what is operationally required; log data retained per organizational data retention policy
- Termination: CA decommissioning requires minimum 90-day advance notice, final CRL publication with extended NextUpdate, key destruction ceremony, and documented runbook entry
10. Post-Quantum Cryptographic Agility
⚛The Alliance Multi-Org PKI is designed with crypto-agility as a first-class architectural principle. NIST finalized FIPS 203 (ML-KEM), FIPS 204 (ML-DSA), and FIPS 205 (SLH-DSA) in August 2024. SP 800-232 (Ascon) covers lightweight AEAD for IoT/edge. These are reserved in OID arc 1.3.6.1.4.1.65571.5.x and roadmapped below — not active in v1.0 production.
| Phase | Timeline | Algorithm | Standard | Status |
|---|
| 1 — Classical | 2026 (current) | RSA-4096 / SHA-256; ECDSA P-256/P-384 | FIPS 186-5, SP 800-57 | Active |
| 2 — Hybrid | 2026–2027 | RSA + ML-DSA-65 dual; ML-KEM-768 TLS | FIPS 203, 204 | Planned |
| 3 — PQC Primary | 2027+ | ML-DSA-65 CA key; SLH-DSA fallback | FIPS 204, 205 | Planned |
| 3 — IoT/Edge | 2027+ | Ascon-128 / Ascon-128a | SP 800-232 | Planned |
| 4 — RSA Sunset | 2028–2030 | RSA-2048 EOL; RSA-4096 CA re-key | SP 800-131A | Planned |
11. Browser Compatibility and Public Trust Path
| Browser | Trust Mechanism | Status |
|---|
| Chrome / Edge | Windows CTL via GPO deployment | ✓ Supported |
| Firefox | enterprise_roots.enabled or policies.json via GPO | ✓ Supported |
| Safari (macOS / iOS) | macOS Keychain / iOS MDM via Intune | ✓ Supported |
| Chrome (Android) | Intune MDM profile | ✓ Supported |
11.1 Future Public Trust Roadmap
- Internal PKI stabilization — CRL/AIA/OCSP operational; step-ca RA live (current phase)
- WebTrust / ETSI audit — Third-party audit of CA operations, key ceremony, CP/CPS
- Mozilla Root Program — CA inclusion policy application; triggers Chrome/Apple/Microsoft consideration
- Cross-certification (faster path) — Cross-cert from existing publicly trusted CA (DigiCert/Sectigo)
- CT log submission — RFC 9162; step-ca supports CT logging natively for public TLS
12. OID Registry
| OID | Name | Purpose |
|---|
1.3.6.1.4.1.65571.1.1 | Root CA | Root CA identifier |
1.3.6.1.4.1.65571.1.2–.1.4 | Issuing CAs | Alliance/Able-2/Capabilities issuing CAs |
1.3.6.1.4.1.65571.2.1–.2.4 | Policies | Multi-Org, Alliance, Able-2, Capabilities policies |
1.3.6.1.4.1.65571.3.1–.3.8 | Certificate Templates | TLS Server/Client, S/MIME, Code Signing, OCSP, Smart Card, 802.1X, Device, CA-Signing |
1.3.6.1.4.1.65571.4.1–.4.2 | Custom Extensions | Org Identifier (.4.1), Device Class (.4.2) |
1.3.6.1.4.1.65571.5.1–.5.3 | ML-KEM-512/768/1024 | FIPS 203 — PQC KEM (128/192/256-bit) |
1.3.6.1.4.1.65571.5.4–.5.6 | ML-DSA-44/65/87 | FIPS 204 — PQC DSA (128/192/256-bit) |
1.3.6.1.4.1.65571.5.7–.5.8 | SLH-DSA-SHA2-128s/256s | FIPS 205 — hash-based signatures |
1.3.6.1.4.1.65571.5.9–.5.10 | Ascon-128 / Ascon-128a | SP 800-232 — lightweight AEAD IoT/edge |