This document describes the policies and practices employed by the Aaltronav Certification Authority (CA) in its Public Key Infrastructure (PKI).
The name of this document is “Aaltronav s.r.o. Certification Practice Statement (CPS)”.
This document is available at the URI https://pki.aaltronav.eu/cps.
Note that in a PKI the term “subscriber” refers to an individual or organization that is a subject of a certificate issued by a CA. The term is used in this fashion throughout this document, without qualification, and should not be confused with the networking use of the term to refer to an individual or organization that receives service from an ISP. In such cases, the term “network subscriber” will be used. Also note that, for brevity, this document always refers to PKI participants as organizations or entities, even though some of them are individuals.
The Certification Authority (CA) hierarchy is composed of the top-level CA for Aaltronav’s portion of the PKI, Aaltronav Root CA and a subordinate production CA, Aaltronav Production CA 1.
This is the offline, top-level CA for Aaltronav s.r.o., providing a secure revocation and recovery capability in case the production CA is compromised or becomes unavailable.
Aaltronav Root CA issues certificates only to instances of Aaltronav Production CA 1, and its Certificate Revocation Lists (CRL) are used only to revoke certificates issued to Aaltronav Production CA 1.
This production certificate authority is used to issue public key infrastructure (PKI) certificates to members of Aaltronav s.r.o.
Registrations are handled through the IT manager.
The subscribers of this PKI are the members of Aaltronav staff and Aaltronav equipment or resources to which certificates are issued.
Entities or individuals that act in reliance on certificates or PKI-signed objects issued under this PKI are relying parties. Relying parties may or may not be subscribers within this PKI.
Entities, individuals or organizations that are using, or are in some form involved with preparing, the certificates of a subscriber and may or may not wish to secure communication with this subscriber. Other participants may or may not be subscribers within this PKI.
Certificates issued under this policy may be used for:
Any uses other than those described in the previous section are prohibited.
This certificate policy statement is administered by Aaltronav s.r.o.
Contact the IT manager via https://aaltronav.eu/contact for any questions.
The IT manager reviews the certificate policy statement.
The certificate policy statement is approved by any of Aaltronav’s directors.
| Term/Acronym | Definition |
|---|---|
| CA | Certification Authority: An entity that issues digital certificates. |
| CPS | Certification Practice Statement: This document detailing the practices and procedures of the CA. |
| CRL | Certificate Revocation List: A list of revoked certificates issued by the CA. |
| CSR | Certificate Signing Request: A message sent from an applicant to a CA to apply for a public key certificate. |
| DN | Distinguished Name: A unique identifier for a certificate subject, based on X.500 standards. |
| HTTPS | Hypertext Transfer Protocol Secure: A protocol for secure communication over a computer network. |
| OID | Object Identifier: A unique numeric identifier for policies or objects in the PKI. |
| PKI | Public Key Infrastructure: A system for managing digital certificates and public-key encryption. |
| RA | Registration Authority: An entity that verifies certificate requests before approval by the CA. |
| RFC | Request for Comments: A publication from the Internet Engineering Task Force (IETF) describing standards. |
| URI | Uniform Resource Identifier: A string identifying a resource, such as a web address. |
This Certification Practice Statement conforms to RFC 5280 for the profile of X.509 certificates, CRLs, and extensions used in this PKI. Repository publication follows common industry practices for HTTP-accessible PKI repositories, including publication of CRLs, Authority Information Access (AIA)-reachable issuer certificates, and other trust anchors. The repository is publicly accessible (read-only) via HTTPS at https://pki.aaltronav.eu/. It is organised with:
/root-ca/ and /production-ca-1/) containing the latest CRLs (using hashed filenames for efficient automated retrieval via CRL Distribution Points extensions);chain.pem) at the repository root (containing the Aaltronav Root CA and Aaltronav Production CA 1 certificates concatenated in PEM format).Aaltronav s.r.o. will publish certificates, CRLs, and PKI-signed objects issued by it to a repository that operates as part of a worldwide distributed system of PKI repositories.
Certificates, CRLs and PKI-signed objects are published to the repository as part of the issuance or update process.
The Aaltronav s.r.o. CA will publish its CRL prior to the nextUpdate value in the scheduled CRL previously issued by the CA.
Public repository data is publicly readable. Repository updates are carried out as part of an automated process under control of the registration authority (RA).
The subject of each certificate issued by this organization is identified by an X.500 Distinguished Name (DN). The distinguished name will consist of a single Common Name (CN) attribute with a value generated by Aaltronav s.r.o… Optionally, additional attributes may be included along with the common name (to form a terminal relative distinguished name set), to disambiguate in cases where the Common Name alone does not uniquely identify the subject, or to distinguish among successive instances of certificates associated with the same entity.
Where certificates are issued to organisations, individuals or entities commonly associated with a name, a sufficiently recognisable form of their name (or one of their names) will form part of the Subject Name of each certificate.
Anonymity is neither explicitly supported nor proscribed by this certification policy. Pseudonymity is supported upon an individual’s or organisation request or for confidentiality, security or other reasons.
Names (in particular, Common Name attributes) are encoded using UTF-8. Names need not be in the Latin alphabet. Where an entity’s name uses a non-Latin alphabet name, a Latin alphabet version of the name should be included as well.
Subject names are unique among the certificates issued by this CA. Where necessary, disambiguation will be carried out by additional attributes.
No provision is made in this regard.
The concerned user, or the person responsible for the entity in question, must submit a duly formed certificate signing request (CSR) to the registration authority (RA).
This CA does not as a rule issue certificates to organisations other than itself and, should the need arise, any certificates issued will not attest to the organisational identity of subscribers.
However, in the unlikely event that authentication of an organisation entity should be necessary, this will take place by:
This CA does not attest to the individual identity of a subscriber, only to their association with Aaltronav s.r.o.
Information that is for internal use only, such as email addresses or optional attributes (e.g., organisational unit) may be included without external verification but subscribers are required to confirm accuracy during enrolment to prevent errors.
Authority to represent an internal subscriber is determined by reference to Aaltronav’s internal hierarchy. In the event of a request concerning another organisation, the requester must prove to the satisfation of the Registration Authority (RA) the he is authorised to represent the subscriber.
Testing certificates require explicit IT manager approval via a traceable method such as email or ticket in an issue tracking system.
There is no explicit provision for interoperation with any other PKI.
Subscribers must submit a new CSR via the RA, with identity re-verified against internal records. Re-keys occur before expiry, with a grace period of 30 days.
Full re-validation as in initial issuance will be required, plus an explanation of the revocation reason, approved by the IT manager.
Revocation requests must be submitted to the RA by the subscriber or an authorised representative. Authentication occurs via internal verification (e.g., email from a company domain or in-person confirmation). Reasons for revocation include key compromise, cessation of authority, or policy violation.
Any Aaltronav staff member or authorised representative for equipment/resources.
Subscribers generate a CSR using tools like OpenSSL, submit it to the RA with justification (e.g., use case). The RA reviews and forwards to the CA for issuance.
The RA performs identification and authentication as described in the Indentification and Authentication section.
Applications are approved if they meet policy requirements; otherwise, rejected with notification to the applicant.
The RA aims to process applications within 72 hours, verifying identity and authority. Approvals are logged; denials are notified with reasons.
The CA signs the certificate using its private key after RA approval.
The subscriber is notified via email or the enrolment system upon issuance.
Acceptance is constituted by the subscriber’s use of the certificate or failure to reject it within 7 days of issuance.
End user certificates are, as a rule, not published to the PKI repository in the interests of privacy. Any non-revoked end user certificate signed by Aaltronav’s production CA may be considered valid a priori.
No stipulation for notification to other entities.
Subscribers must use private keys only for authorised purposes and protect them from compromise.
Relying parties must verify certificate validity, including CRL checks, before reliance.
Renewal is permitted for unrevoked certificates nearing expiry, without key change.
The original subscriber or authorised representative.
Processed as routine re-key, with verification.
Via email or enrolment system.
As described in the Conduct Constituting Certificate Acceptance subsection.
As described in the Publication and Repository Responsibilities section.
No stipulation.
Re-key is required for key compromise, expiry, or policy changes requiring new keys.
The subscriber or RA.
As in initial validation, with new CSR.
Via email or enrolment system.
As described in the Conduct Constituting Certificate Acceptance subsection.
As described in the Publication and Repository Responsibilities section.
No stipulation.
Modification is for changes in non-key attributes, e.g., name updates.
The subscriber or RA.
With verification of changes.
Via email or enrolment system.
As described in the Conduct Constituting Certificate Acceptance subsection.
As described in the Publication and Repository Responsibilities section.
No stipulation.
Revocation occurs for key compromise, policy violation, cessation of authority, or subscriber request.
Subscriber, RA, or IT manager.
Submit to RA with reason; processed within 24 hours.
No grace period for compromise; 24 hours otherwise.
Within 24 hours.
Relying parties must check CRL before use.
At least daily, or immediately upon revocation.
1 hour.
No stipulation (OCSP not supported).
N/A.
No stipulation.
Immediate revocation and notification to affected parties.
Suspension is not supported.
N/A.
N/A.
N/A.
Status via CRL.
Repository available 24/7.
No optional features.
Subscription ends upon revocation, expiry, or subscriber departure from Aaltronav.
No key escrow; private keys are subscriber-managed.
No stipulation.
CA systems are in a secure, access-controlled facility.
Access limited to authorised personnel.
Uninterruptible power supply (UPS) and climate control provided.
Facility protected against flooding.
Fire suppression systems in place.
Secure storage for backups.
Sensitive waste shredded or destroyed.
Backups stored off-site securely.
Roles include CA operator, RA, and auditor.
Critical tasks require two-person control.
Via certificates or passwords.
CA operations separated from RA.
Personnel must have relevant experience; background checks for trusted roles.
Internal verification.
Initial and ongoing training on PKI operations.
Annual.
No stipulation.
Disciplinary action up to termination.
Contractors bound by this CPS.
This CPS and operational procedures.
Issuance, revocation, access attempts.
Daily review.
7 years.
Stored securely, access restricted.
Regular backups.
Internal.
No stipulation.
Annual.
Certificates, CRLs, logs.
10 years.
Secure storage, integrity checks.
Off-site duplicates.
Electronic records time-stamped.
Internal.
Dual control verification.
CA keys changed every 5 years or upon compromise; new keys certified under old.
Report to IT manager; investigate and respond.
Restore from backups; re-issue if needed.
Revoke, notify, re-issue.
Off-site backups enable recovery within 48 hours.
Notify subscribers; transfer records to custodian (IT manager).
Generated by subscriber or CA using secure modules.
Secure channel (e.g., encrypted).
Via CSR.
Via repository.
RSA 2048 bits minimum.
CA-generated parameters verified.
As per certificate profile.
FIPS 140-2 Level 2 or equivalent for CA keys.
Two-person for CA keys.
No escrow.
Encrypted backups.
No archival of private keys.
Only authorised, encrypted.
Encrypted.
PIN or token.
Logout or timeout.
Overwrite or destruction.
As above.
Public keys archived with certificates.
1-3 years for end-entity; 10 years for CA.
Generated securely.
Stored encrypted.
Destroyed after use if one-time.
Firewalls, antivirus, access controls.
No external rating.
Secure development practices.
Regular updates.
Vendor support required.
Segmented networks, firewalls.
No stipulation.
X.509 v3.
Standard extensions as needed (e.g., key usage).
SHA-256 with RSA.
As described in the Naming subsection.
Permitted subtrees for Aaltronav domains.
1.3.6.1.4.1.50168.1.1.0
No stipulation.
CPS URI.
Require policy check.
v2.
Standard.
N/A (not supported).
N/A.
Annual internal review.
IT manager or external consultant.
Internal or independent.
All CPS sections.
Corrective measures.
To directors.
None.
None.
None.
None.
N/A.
No insurance.
No stipulation.
None.
Subscriber data.
Public certificates.
Handled securely.
Data protected per EU GDPR.
Personal identifiers.
Certificate contents.
Secure storage.
Via enrolment.
As required by law.
No stipulation.
Certificates are Aaltronav property.
Certificates issued per CPS.
Accurate verification.
Accurate information.
Proper validation.
Compliance with CPS.
No warranties beyond CPS.
Limited to direct damages.
Subscribers indemnify CA for misuse.
Effective upon approval.
Upon supersession.
Obligations survive.
Via email.
Review and approval.
Published updates.
Major changes.
Internal resolution; arbitration if needed.
Czech law.
Compliant with EU regulations.
Not assignable.
Invalid provisions severed.
Waiver must be written.
Excused for uncontrollable events.
No stipulation.