As certificate volumes grow, ad hoc management breaks down. A strong governance framework, built on clear policies, defined roles, and automated enforcement, is the difference between a secure PKI and an uncontrolled liability.
When an organization manages a handful of certificates, governance is simple. Someone requests a certificate, someone else approves it, and a spreadsheet keeps track of expiration dates. But modern enterprises don't manage a handful; they manage tens of thousands, sometimes hundreds of thousands, across multiple Certificate Authorities, cloud providers, and business units.
At that scale, the absence of policy is not freedom; it is chaos. Teams choose different key algorithms, certificates are issued with inconsistent naming conventions, validity periods vary wildly, and no one can say with confidence which CAs are actually in use. The result is an environment that is difficult to audit, expensive to maintain, and vulnerable to both outages and security breaches.
Certificate policy and governance solve this by establishing a clear set of rules that define who can request certificates, what kinds of certificates are allowed, how they must be configured, and how compliance is verified. This chapter explains how to build and enforce that framework.
Which CAs are authorized to issue certificates for your organization? This includes both public CAs (for external-facing TLS) and internal CAs (for mTLS, device identity, and code signing). An approved CA list prevents teams from procuring certificates from untrusted or unvetted providers, reducing the risk of shadow certificates.
Define the minimum acceptable key types and sizes. Most organizations today require RSA 2048 (or higher) and are migrating toward ECDSA P-256 or P-384 for better performance and stronger security. Your policy should also address post-quantum readiness and set a timeline for algorithm transitions.
How long should certificates remain valid? Public TLS certificates are already limited to 398 days by the CA/Browser Forum and will soon move to 90 days (and eventually 47 days). Internal certificates may have different requirements. Your policy should define maximum validity for each certificate type and use case.
Standardized Subject Distinguished Names (DNs) and Subject Alternative Names (SANs) make certificates easier to identify, search, and manage. A good naming policy specifies required fields (Organization, Organizational Unit, Country), forbids wildcard certificates where they are unnecessary, and defines SAN patterns for different environments.
The CP is a high-level document that states what the organization requires. It defines the rules, obligations, and expectations for certificate usage: which types of certificates are permitted, what assurance levels are required, and under what conditions certificates may be issued or revoked. Think of it as the "constitution" of your PKI.
The CPS describes how the CA implements the requirements set out in the CP. It covers the operational procedures, technical controls, and physical security measures in place. If the CP says "certificates must use RSA 2048 or higher," the CPS explains exactly how the CA enforces that requirement in its issuance pipeline.
The standard framework for writing CP and CPS documents is defined in RFC 3647. It provides a common structure with nine sections covering everything from obligations and liability to technical security controls, making it easier to compare policies across organizations and CAs.
Without a CP, there are no agreed-upon rules. Without a CPS, rules exist only on paper. Together, they create a complete governance chain: the CP sets the standard, and the CPS proves the standard is being met. Auditors and regulators expect both to be current and aligned.
Define and enforce policies centrally — Evertrust CLM lets you define certificate policies (approved CAs, key algorithms, validity limits, naming rules) and enforce them automatically across every certificate request, regardless of the issuing CA.
Role-based access control — Built-in RBAC with configurable approval workflows ensures that the right people approve the right certificates. Separation of duties is enforced by the platform, not by convention.
Audit-ready reporting — Every certificate action is logged in an immutable audit trail. Compliance dashboards highlight policy violations in real time, and exportable reports make audits straightforward.
Template-based issuance — Evertrust PKI provides pre-configured certificate templates that embed policy requirements directly into the issuance process. Requesters select a template; the platform handles compliance.
