Sample Public Key Infrastructure (PKI) Policy [Free Download]

Editorial Team

Download this free Public Key Infrastructure (PKI) Policy template and use it for your organization. Scroll down to the bottom of the page for the download link.


This document defines the controls for implementing Public Key Infrastructure (PKI) within Organization Group and third parties that connects to Organization Group. Public Key Infrastructure (PKI) is the combination of software, encryption technologies, and services that enables the Group to ensure the security of business communications and transactions on the Internet, Intranet and Extranet. The objective of implementing PKI is to achieve privacy, confidentiality, data integrity and non-repudiation.


This document applies to all Organization Group employees, contractors, consultants, temporaries, and customers utilizing PKI to access the Organization Group’s network.


3.1 General

PKIs integrate digital certificates, public-key cryptography, and certificate authorities into a total enterprise-wide network security architecture. A typical enterprise’s PKI encompasses the issuance of digital certificates to individual users and servers; end-user enrolment software; integration with corporate certificate directories; tools for managing, renewing, and revoking certificates; and related services and support.

3.2 Certification Authority (CA)

 a)    The CA issues an encrypted digital certificate containing the applicant's public key and a variety of other identification information. 

 b)    Organization Group should only accept 2 types of CA which are Organization Internal CA and  Trusted 3rd Parties CA. Trusted 3rd Parties CA is refer to 3rd Parties CA that recognized by the local court of law.

 c)    The Trusted 3rd Parties CA makes its own public key readily available through print publicity or on the Internet. Organization Internal CA should only distribute its own public key among Organization Group. 

 d)    The roles of a CA are as below:-
     1)    Issuing certificate
     2)    Managing certificate
     3)    Renew certificate
     4)    Revoke certificate

 e)    Organization Internal CA is the highest-level active certification entities within Organization Group and act as its own roots. The Organization Internal CA issues, suspend and revoke all Organization internal certificates.

 f)    Organization root key shall be securely generated. The private key must be kept secured by using a trustworthy system, and take necessary precautions to prevent its loss, disclosure, modification or unauthorized use.

 g)    Both CAs should have operational controls and record keeping for certificate issuance.

3.3 Digital Certificate

 a)    A Digital Certificate is issued by a Certification Authority to confirm the subscriber identity to others. Once issued, the certificate can be used for variety of tasks; such as protecting email data, performing digital signing for internet transaction or providing a secure connection to another computer.

 b)    There are 4 types of digital certificates.
     1)    Email certificate.
     2)    User certificate.
     3)    Server certificate.
     4)    CA certificate (also call as root certificate).

 c)    All certificates must have a validity period. The recommended validity period for all subscriber certificates is 1 year except for the CA certificates, which validity period can be more than 1 year.

 d)    Subscriber’s key pair must be generated securely. The subscriber’s public key and subscriber’s information will submit to the CA as part of the Certificate Signing Request (CSR). The CA will only sign and issue the Digital Certificate after the validation and verification are done.

 e)    Validation, verification and authentication have to be done on the subscriber before a digital certificate can be issued.

 f)    Certificates that issued by Organization Internal CA are strictly for internal use only. It is only allowed to be used for encryption and server authentication.

 g)    Notice prior to certificate expiration. Key manager should make a reasonable effort to notify the system administrator/owner, in email of the impending expiration of the certificate. Please refer to PKI Procedure for the roles and responsibilities of the Key manager.

 h)    A certificate shall be considered to be unreliable, and shall need to be suspended or revoked if there has been a loss, theft, modification, unauthorized disclosure, or other compromise of the private key of the certificate’s subject.

 i)    Certificates that issued by Trusted 3rd Parties CA can be widely adopted for internal and external usage. The usage of those certificates will depend on the Certificate Practice Statement (CPS) that defined by the Trusted 3rd Parties CA. 

3.4 Encryption

 a)    Certificates issued by Organization Internal CA are used for encryption between Organization Group. The encryption technologies used should be proven and complies with accepted industrial standard. E.g. S/MIME, SSL/TLS session, VPN and IPSEC. 

 b)    Encryption to 3rd party entity should use a digital certificate that issued by a Trusted 3rd Parties CA. 

 c)    All encryption connections must have strong encryption strength. The key length requirements will be reviewed annually and upgraded as technology allows. Refer to Organization Acceptable Encryption Policy for more details.

3.5 Digital Signature

 a)    Organization internal certificates are not allowed to do digital signing for non-repudiation purposes business transaction. This is due to certificate that issued by Organization Internal CA is not recognized by the local court of law. 

 b)    All digital signing on internet transactions must use certificates that issued by Trusted 3rd Parties CA. 

 c)    Certificate issued by Organization Internal CA can only be used for email digital signature (S/MIME) in Organization Group only.

 d)    Trusted 3rd Parties CA digital certificate must be used for any digital signature (S/MIME) communication to the world.

 e)    Digital certificate should be verified against Certificate Revocation List (CRL) when used for any digital signing.  

3.6 Authentication

 a)    There are 2 types of authentication
     1)    Server authentication. 
     2)    User authentication.

 b)    Organization Internal CA can only authenticate and issue a server certificate to the internal servers and accessed by Organization internal users. 

 c)    For servers that are accessed by public users, the server certificate has to be issued by Trusted 3rd Parties CA. However, server certificate issued by Trusted 3rd Parties CA may be used for internal server.

 d)    Servers with valid domain names have to be authenticated before a server certificate can be issued.

 e)    Certificate issued by Trusted 3rd Parties CA can be used for any user authentication on all systems.  

 f)    Certificate issued by Organization Internal CA can only be used for user authentication on Organization internal system. 

 g)    Digital certificate should be verified against Certificate Revocation List (CRL) when doing authentication.

3.7 Certification Revocation List (CRL)

 a)    CRL contains a time stamped list of revoked certificates that a Certification Authority (CA) signs and makes available to PKI users in a public repository. A CRL identifies each revoked certificate by its certificate serial number.

 b)    All digital certificates must be revoked and publish in the CRL if the certificate have been compromised or suspected to be compromised. This does not apply to rudimentary level of certificate. 

 c)    The serial number of the compromised digital certificate should be published in the CRL within 24 hours.

3.8 Key Recovery

 a)    Key recovery is only allowed on encryption key but not the signing key.


4.1 All staffs are required to comply with this security policy and its appendices. Disciplinary actions including termination may be taken against any Organization staffs who fail to comply with the Organization’s security policies, or circumvent/violate any security systems and/or protection mechanisms.

4.2 Staff having knowledge of personal misuse or malpractice of IT Systems must report immediately to management and IT Security.

4.3 Organization’s staff must ensure that Organization’s contractors and others parties authorized by the Organization using its internal computer systems, comply with this policy.

4.4 Where the role of the service provider is outsourced to a vendor, the outsourced vendor should ensure compliance with this policy.

Click here to download Public Key Infrastructure (PKI) Policy template.