Microsoft Word - CPS_V3-08

DigiCert

Certificate Policy and

Certification Practice

Statement

DigiCert, Inc.

Version 3.08

May 29, 2009

Suite 200

Canopy Building II

355 South 520 West

Lindon, UT 84042

USA

Tel: 1-801-877-2100

Fax: 1-801-705-0481

www.digicert.com

TABLE OF CONTENTS

1. INTRODUCTION ................................................................................................................................... 1

1.1 Overview ............................................................................................................................................. 1

1.2 Document name and identification ....................................................................................................... 1

1.3 PKI participants ................................................................................................................................... 2

1.3.1 Certification authority ................................................................................................................... 2

1.3.2 Registration authority ................................................................................................................... 3

1.3.3 Subscribers ................................................................................................................................. 3

1.3.4 Relying parties .............................................................................................................................. 3

1.4 Certificate usage ................................................................................................................................. 3

1.4.1. Appropriate certificate uses ........................................................................................................ 3

1.4.2 Prohibited certificate uses .......................................................................................................... 3

1.5 Policy administration ........................................................................................................................... 3

1.5.1 Organization administering the document ................................................................................... 3

1.5.2 Contact person ............................................................................................................................ 4

1.5.3 Person determining CP/CPS suitability for the policy .................................................................. 4

1.5.4 CP/CPS approval procedures...................................................................................................... 4

1.6 Definitions and acronyms .................................................................................................................... 4

2. PUBLICATION AND REPOSITORY RESPONSIBILITIES .................................................................... 5

2.1 Repositories ........................................................................................................................................ 5

2.2 Publication of certification information ................................................................................................. 5

2.3 Time or frequency of publication ......................................................................................................... 5

2.4 Access controls on repositories ........................................................................................................... 5

3. IDENTIFICATION AND AUTHENTICATION .......................................................................................... 6

3.1 Naming ................................................................................................................................................ 6

3.1.1 Types of names ........................................................................................................................... 6

3.1.2 Need for names to be meaningful ................................................................................................ 6

3.1.3 Anonymity or pseudonymity of subscribers ................................................................................. 6

3.1.4 Rules for interpreting various name forms ................................................................................... 6

3.1.5 Uniqueness of names .................................................................................................................. 6

3.1.6 Recognition, authentication, and role of trademarks .................................................................... 6

3.2 Initial identity validation ....................................................................................................................... 6

3.2.1 Method to prove possession of private key ................................................................................. 6

3.2.2 Authentication of organization identity ......................................................................................... 7

3.2.3 Authentication of individual identity .............................................................................................. 8

3.2.4 Non-verified subscriber information ............................................................................................. 8

3.2.5 Validation of authority ................................................................................................................... 8

3.3 Identification and authentication for re-key requests ........................................................................... 9

3.3.1 Identification and authentication for routine re-key ...................................................................... 9

3.3.2 Identification and authentication for re-key after revocation ........................................................ 9

3.4 Identification and authentication for revocation request ....................................................................... 9

4. CERTIFICATE LIFE-CYCLE OPERATIONAL REQUIREMENTS .............................................................. 9

4.1 Certificate Application ........................................................................................................................ 10

4.1.1 Who can submit a certificate application ................................................................................... 10

4.1.2 Enrollment process and responsibilities .................................................................................... 10

4.2 Certificate application processing ....................................................................................................... 11

4.2.1 Performing Identification and Authentication Functions ............................................................. 11

4.2.2 Approval or rejection of certificate applications........................................................................... 12

4.2.3 Time to process certificate applications ..................................................................................... 12

4.3 Certificate issuance ........................................................................................................................... 12

4.3.1 CA actions during certificate issuance ....................................................................................... 12

4.3.2 Notification to subscriber by the CA of issuance of certificate ................................................... 12

4.4 Certificate acceptance ....................................................................................................................... 12

4.4.1 Conduct constituting certificate acceptance .............................................................................. 12

4.4.2 Publication of the certificate by the CA ...................................................................................... 13

4.5 Key pair and certificate usage ............................................................................................................ 13

4.5.1 Subscriber private key and certificate usage ............................................................................. 13

4.5.2 Relying party public key and certificate usage ........................................................................... 13

4.6 Certificate renewal............................................................................................................................. 13

4.7 Certificate re-key ............................................................................................................................... 14

4.8 Certificate modification ...................................................................................................................... 14

4.9 Certificate revocation and suspension............................................................................................... 14

4.9.1 Circumstances for revocation .................................................................................................... 14

4.9.2 Who can request revocation ...................................................................................................... 15

4.9.3 Procedure for revocation request .............................................................................................. 15

4.9.4 Revocation request grace period ............................................................................................... 15

4.9.5 Time within which CA must process the revocation request ...................................................... 15

4.9.6 Revocation checking requirement for relying parties ................................................................. 15

4.9.7 CRL issuance frequency ............................................................................................................ 15

4.9.8 Maximum latency for CRLs ........................................................................................................ 16

4.9.9 On-line revocation/status checking availability .......................................................................... 16

4.9.10 On-line revocation checking requirements ............................................................................... 16

4.9.11 Other forms of revocation advertisements available ................................................................. 16

4.9.12 Special requirements re key compromise ................................................................................. 16

4.9.13 Circumstances for suspension.................................................................................................. 16

4.9.14 Who can request suspension ................................................................................................... 16

4.9.15 Procedure for suspension request ............................................................................................ 16

4.9.16 Limits on suspension period ..................................................................................................... 16

4.10 Certificate status services ............................................................................................................... 16

4.11 End of subscription .......................................................................................................................... 16

4.12 Key escrow and recovery ................................................................................................................ 16

5. FACILITY, MANAGEMENT, AND OPERATIONAL CONTROLS ............................................................. 16

5.1 Physical controls ............................................................................................................................... 17

5.1.1 Site location and construction .................................................................................................... 17

5.1.2 Physical access ......................................................................................................................... 17

5.1.3 Power and air conditioning ........................................................................................................ 17

5.1.4 Water exposures ....................................................................................................................... 17

5.1.5 Fire prevention and protection ................................................................................................... 17

5.1.6 Media storage ............................................................................................................................ 17

5.1.7 Waste disposal .......................................................................................................................... 18

5.1.8 Off-site backup .......................................................................................................................... 18

5.2 Procedural controls ........................................................................................................................... 18

5.2.1 Trusted roles.............................................................................................................................. 18

5.2.2 Number of persons required per task ........................................................................................ 18

5.2.3 Identification and authentication for each role ........................................................................... 19

5.2.4 Roles requiring separation of duties .......................................................................................... 19

5.3 Personnel controls............................................................................................................................. 19

5.3.1 Qualifications, experience, and clearance requirements ........................................................... 19

5.3.2 Background check procedures .................................................................................................. 19

5.3.3 Training requirements ................................................................................................................ 19

5.3.4 Retraining frequency and requirements ..................................................................................... 19

5.3.5 Job rotation frequency and sequence ........................................................................................ 19

5.3.6 Sanctions for unauthorized actions ............................................................................................ 19

5.3.7 Independent contractor requirements ........................................................................................ 19

5.3.8 Documentation supplied to personnel ....................................................................................... 19

5.4 Audit logging procedures ................................................................................................................... 20

5.4.1 Types of events recorded .......................................................................................................... 20

5.4.2 Frequency of processing log ..................................................................................................... 20

5.4.3 Retention period for audit log .................................................................................................... 20

5.4.4 Protection of audit log ................................................................................................................ 20

5.4.5 Audit log backup procedures ..................................................................................................... 20

5.4.6 Audit collection system (internal vs. external) ............................................................................ 20

5.4.7 Notification to event-causing subject ......................................................................................... 20

5.4.8 Vulnerability assessments ......................................................................................................... 21

5.5 Records archival................................................................................................................................ 21

5.5.1 Types of records archived ......................................................................................................... 21

5.5.2 Retention period for archive ...................................................................................................... 21

5.5.3 Protection of archive .................................................................................................................. 22

5.5.4 Archive backup procedures ....................................................................................................... 22

5.5.5 Requirements for time-stamping of records ............................................................................... 22

5.5.6 Archive collection system (internal or external) ......................................................................... 22

5.5.7 Procedures to obtain and verify archive information .................................................................. 22

iii

5.6 Key changeover ................................................................................................................................ 22

5.7 Compromise and disaster recovery ................................................................................................... 22

5.7.1 Incident and compromise handling procedures ......................................................................... 22

5.7.2 Computing resources, software, and/or data are corrupted ....................................................... 23

5.7.3 Entity private key compromise procedures ................................................................................ 23

5.7.4 Business continuity capabilities after a disaster......................................................................... 23

5.8 CA or RA termination ........................................................................................................................ 23

6. TECHNICAL SECURITY CONTROLS ..................................................................................................... 24

6.1 Key pair generation and installation .................................................................................................. 24

6.1.1 Key pair generation ................................................................................................................... 24

6.1.2 Private key delivery to subscriber .............................................................................................. 24

6.1.3 Public key delivery to certificate issuer ...................................................................................... 24

6.1.4 CA public key delivery to relying parties .................................................................................... 24

6.1.5 Key sizes ................................................................................................................................... 24

6.1.6 Public key parameters generation and quality checking ............................................................ 24

6.1.7 Key usage purposes (as per X.509 v3 key usage field) ............................................................. 25

6.2 Private Key Protection and Cryptographic Module Engineering Controls .......................................... 25

6.2.1 Cryptographic module standards and controls .......................................................................... 25

6.2.2 Private key (n out of m) multi-person control ............................................................................. 25

6.2.3 Private key escrow .................................................................................................................... 25

6.2.4 Private key backup .................................................................................................................... 25

6.2.5 Private key archival ................................................................................................................... 25

6.2.6 Private key transfer into or from a cryptographic module .......................................................... 25

6.2.7 Private key storage on cryptographic module ............................................................................ 25

6.2.8 Method of activating private key ................................................................................................ 25

6.2.9 Method of deactivating private key ............................................................................................ 26

6.2.10 Method of destroying private key .............................................................................................. 26

6.2.11 Cryptographic Module Rating ................................................................................................... 26

6.3 Other aspects of key pair management ............................................................................................. 26

6.3.1 Public key archival ..................................................................................................................... 26

6.3.2 Certificate operational periods and key pair usage periods ....................................................... 26

6.4 Activation data ................................................................................................................................... 26

6.4.1 Activation data generation and installation ................................................................................ 26

6.4.2 Activation data protection .......................................................................................................... 26

6.4.3 Other aspects of activation data ................................................................................................ 27

6.5 Computer security controls ................................................................................................................ 27

6.5.1 Specific computer security technical requirements .................................................................... 27

6.5.2 Computer security rating ........................................................................................................... 27

6.6 Life cycle technical controls ............................................................................................................... 27

6.6.1 System development controls ................................................................................................... 27

6.6.2 Security management controls .................................................................................................. 27

6.6.3 Life cycle security controls ......................................................................................................... 27

6.7 Network security controls .................................................................................................................. 27

6.8 Time-stamping .................................................................................................................................. 28

7. CERTIFICATE, CRL, AND OCSP PROFILES ......................................................................................... 28

7.1 Certificate profile ............................................................................................................................... 28

7.1.1 Version number(s) ..................................................................................................................... 28

7.1.2 Certificate extensions ................................................................................................................ 28

7.1.3 Algorithm object identifiers ........................................................................................................ 28

7.1.4 Name forms ............................................................................................................................... 28

7.1.5 Name constraints ....................................................................................................................... 28

7.1.6 Certificate policy object identifier ............................................................................................... 28

7.1.7 Usage of Policy Constraints extension ...................................................................................... 28

7.1.8 Policy qualifiers syntax and semantics ...................................................................................... 28

7.1.9 Processing semantics for the critical Certificate Policies extension ............................................ 28

7.2 CRL profile ........................................................................................................................................ 29

7.2.1 Version number(s) ..................................................................................................................... 29

7.2.2 CRL and CRL entry extensions ................................................................................................. 29

7.3 OCSP profile ..................................................................................................................................... 29

8. COMPLIANCE AUDIT AND OTHER ASSESSMENTS ............................................................................ 29

8.1 Frequency or circumstances of assessment ..................................................................................... 29

8.2 Identity/qualifications of assessor ...................................................................................................... 29

8.3 Assessor's relationship to assessed entity ........................................................................................ 30

8.4 Topics covered by assessment ......................................................................................................... 30

8.5 Actions taken as a result of deficiency .............................................................................................. 30

8.6 Communication of results .................................................................................................................. 30

9. OTHER BUSINESS AND LEGAL MATTERS .......................................................................................... 30

9.1 Fees .................................................................................................................................................. 30

9.1.1 Certificate issuance or renewal fees .......................................................................................... 30

9.1.2 Certificate access fees .............................................................................................................. 30

9.1.3 Revocation or status information access fees ........................................................................... 30

9.1.4 Fees for other services .............................................................................................................. 30

9.1.5 Refund policy ............................................................................................................................. 30

9.2 Financial responsibility ...................................................................................................................... 31

9.2.1 Insurance coverage ................................................................................................................... 31

9.2.2 Other assets .............................................................................................................................. 31

9.2.3 Insurance or warranty coverage for end-entities........................................................................ 31

9.3 Confidentiality of business information .............................................................................................. 31

9.3.1 Scope of confidential information............................................................................................... 31

9.3.2 Information not within the scope of confidential information ...................................................... 31

9.3.3 Responsibility to protect confidential information ....................................................................... 31

9.4 Privacy of personal information ......................................................................................................... 31

9.4.1 Privacy plan ............................................................................................................................... 31

9.4.2 Information treated as private .................................................................................................... 31

9.4.3 Information not deemed private ................................................................................................. 31

9.4.4 Responsibility to protect private information .............................................................................. 32

9.4.5 Notice and consent to use private information ........................................................................... 32

9.4.6 Disclosure pursuant to judicial or administrative process ......................................................... 32

9.4.7 Other information disclosure circumstances .............................................................................. 32

9.5 Intellectual property rights ................................................................................................................. 32

9.6 Representations and warranties ........................................................................................................ 32

9.6.1 CA representations and warranties ........................................................................................... 32

9.6.2 RA representations and warranties ........................................................................................... 33

9.6.3 Subscriber representations and warranties ............................................................................... 33

9.6.4 Relying party representations and warranties ........................................................................... 34

9.6.5 Representations and Warranties of Other Participants .............................................................. 35

9.7 Disclaimers of warranties .................................................................................................................. 35

9.8 Limitations of liability ......................................................................................................................... 35

9.9 Indemnities ........................................................................................................................................ 36

9.10 Term and termination ...................................................................................................................... 36

9.10.1 Term ........................................................................................................................................ 36

9.10.2 Termination.............................................................................................................................. 36

9.10.3 Effect of termination and survival ............................................................................................. 36

9.11 Individual notices and communications with participants ................................................................ 36

9.12 Amendments ................................................................................................................................... 36

9.12.1 Procedure for amendment ....................................................................................................... 36

9.12.2 Notification mechanism and period .......................................................................................... 36

9.12.3 Circumstances under which OID must be changed ................................................................. 37

9.13 Dispute resolution provisions .......................................................................................................... 37

9.14 Governing law ................................................................................................................................. 37

9.15 Compliance with applicable law ...................................................................................................... 37

9.16 Miscellaneous provisions ................................................................................................................ 37

9.16.1 Entire agreement ..................................................................................................................... 37

9.16.2 Assignment .............................................................................................................................. 37

9.16.3 Severability .............................................................................................................................. 37

9.16.4 Enforcement (attorneys' fees and waiver of rights) .................................................................. 38

9.16.5 Force Majeure ......................................................................................................................... 38

9.17 Other provisions .............................................................................................................................. 38

Appendix A .................................................................................................................................................... 39

Appendix B .................................................................................................................................................... 40

1. DigiCert's Root Certificates ................................................................................................................. 40

4. DigiCert's Entrust-issued Intermediate CA Certificate .......................................................................... 51

1. INTRODUCTION

1.1 Overview

This document is the DigiCert, Inc. (hereafter referred to as “DigiCert” where applicable) Certificate

Policy and Certification Practice Statement (CP/CPS) and outlines the legal, commercial and technical

principles and practices that DigiCert employs in providing certification services, i.e. it is a statement of

the practices that DigiCert uses in approving, issuing, using and otherwise managing ITU X.509 version

3 Digital Certificates and in maintaining a Certificate-based public key infrastructure (PKI) applicable

to the Certificates that DigiCert issues. A digital certificate is formatted data that cryptographically

binds an identified subscriber with a public key. A digital certificate allows an entity taking part in an

electronic transaction to prove its identity to other participants in such transaction. Digital certificates

are used in commercial environments as a digital equivalent of an identification card.

This CP/CPS also defines the underlying certification processes for Subscribers of certificates and

describes DigiCert’s Certification Authority (CA) and certificate repository operations. It is also a public

statement of the practices of DigiCert, Inc. and serves to notify all parties involved in the DigiCert PKI

of their roles and responsibilities. Pursuant to the IETF PKIX RFC 3647 CP/CPS framework, this

CP/CPS is divided into nine (9) parts that cover practices and procedures for identifying certificate

applicants, issuing and revoking certificates, and the security controls related to managing the

physical, personnel, technical and operational components of the CA infrastructure. To preserve the

outline specified by RFC 3647, some section headings that do not apply will have the statement "Not

applicable" or "No Stipulation."

DigiCert issues certificates for server and client authentication to organizations and individuals for use with

the SSL 3.0/TLS 1.0 protocol to enable secure transactions of data through privacy, authentication, and

data integrity ("SSL Certificates"). DigiCert issues server-specific, multi-server (unified communications),

and wildcard (*.domain.com) SSL certificates. DigiCert also issues certificates for encryption, signing email

and client authentication. The validity period of a DigiCert-issued certificate is 1 year, 2 years or 3 years.

DigiCert reserves the right to, at its sole discretion, issue certificates that may fall outside of these set

periods.

To obtain a DigiCert SSL Certificate, the applicant submits an application via a secure, online link, according

to the procedures described herein. Applicants are required to submit a PKCS#10 Certificate Signing

Request (PKCS#10 CSR) containing the applicant's identifying information and geographic location and a

public key signed with the applicant's corresponding private key. Additional documentation in support of the

application may be required so that DigiCert may verify the identity of the applicant. Applicants are required

to submit sufficient identifying information to DigiCert prior to receiving certificate approval. Upon verification

of identity, DigiCert issues the certificate and sends a notice to the applicant. The applicant downloads and

installs the certificate to a network device to be used for authentication and encryption. The applicant must

notify DigiCert of any inaccuracy or defect in a certificate promptly after receipt of the certificate or earlier

notice of incorrect informational content to be included in the certificate. After certificate issuance, if the

Subscriber ever suspects that the security of the device containing the private key may have been

compromised, he or she must immediately contact DigiCert and request revocation of the certificate.

Revoked certificates are published on a Certificate Revocation List (CRL).

1.2 Document name and identification

This document is the DigiCert, Inc. CP/CPS version 3.08 which was originally approved for publication on 14

July 2006 by DigiCert senior management, acting as the DigiCert Policy Authority (DCPA). Revisions of

this document have been made as follows:

Date Changes Version

7-14-2006 New Version 3.0

9-16-2006

Changed logo, added this revision table, added method of verifying

authorization in sections 3.2.5 and 4.1.2; revised language in section 5.7

to update status of implementation and testing of disaster recovery /

business continuity plan; modified section 6.6.1 concerning approval of

3.01

Date Changes Version

change requests, and added l = locality and s = state of Subscriber fields

to subject name to certificate profiles for end entity certificates.

11-9-2006

Removed reference to DigiCert High Assurance CA from section 1.2 and

from Appendix B.

Updated Appendix B to note changes in common names of DigiCert

Assured ID Root CA and removed references to DigiCert High Assurance

CA. Also removed extended key usage and certificate policies extensions

from Root Certificates and updated Key Identifiers and CRL references.

3.02

3-15-2007

Added Unified Communications Certificate, discussion of intranet

certificates, and updated certificate profiles. Added reference to DigiCert

High Assurance EV CA-2 in section 1.2 and Appendix B for Subordinate

CA issuing Organization-Vetted (OV) Certificates.

3.03

4-3-2007

Added Email Certificates, replacement of DigiCert High Assurance EV

CA-2 with DigiCert High Assurance CA-3, and removed Netscape Cert

Type from profile.

3.04

6-4-2007

Modified sections 3.2.2, 3.2.3, and 4.2 to further clarify vetting procedures

of organizations and individuals

3.05

8-14-2007

Modified multiple sections and end-entity certificate

profiles to update CRL issuance policy and validity periods and

allow end-entity certificates to have individual (dedicated) CRL

distribution point URLs. Many other minor changes made for general

improvement and clarification.

3.06

4-2-2008

Changed street address, and made changes to conform to Code Signing

standards.

3.07

5-29-2009

Changed description of domain control validation process, certificate

issuance, revocation checking, physical security, descriptions of trusted

roles, information related to certificate profiles and other minor changes

for general improvement and clarification.

3.08

As detailed in this CP/CPS, DigiCert issues the following certificate types, which are identified by the

following object identifier(s) under DigiCert's ANSI-issued arc of joint-iso-ccitt (2) country (16) USA

(840) US-company (1) DigiCert (114412) CP/CPS (1) ver.3 (3) (i.e., 2.16.840.1.114412.1.3), which

DigiCert uses to identify this CP/CPS and Certificates issued pursuant hereto:

Root Certification Authority DigiCert CP OID

DigiCert Global CA 2.16.840.1.114412.1.3.0.1

DigiCert High Assurance EV CA 2.16.840.1.114412.1.3.0.2

(DigiCert High Assurance CA-3)

DigiCert Global Root CA 2.16.840.1.114412.1.3.0.3

DigiCert Assured ID Root CA 2.16.840.1.114412.1.3.0.4

1.3 PKI participants

1.3.1 Certification authority

DigiCert is a Certification Authority (CA) that issues high quality and highly trusted digital certificates

to entities including private and public companies and individuals in accordance with this CP/CPS. In

its role as a CA, DigiCert performs functions associated with public key operations that include

receiving requests, issuing, revoking and renewing a digital certificate and the maintenance, issuance

and publication of CRLs and OCSP responses for users within the DigiCert PKI. In delivering its PKI

services DigiCert complies in all material respects with high-level international standards including

those on Qualified Certificates pursuant to the European Directive 99/93 and the relevant law on

electronic signatures and all other relevant legislation and regulation.

In its role as a CA, DigiCert provides certificate services within the DigiCert PKI and will:

 Conform its operations to this CP/CPS (or other CA business practices disclosures), as

the same may from time to time be modified by amendments published in the DigiCert

repository (www.digicert.com/ssl-cps-repository.htm)

 Issue and publish certificates in a timely manner in accordance with the issuance

periods set out in this CP/CPS.

 Upon receipt of a valid request to revoke the certificate from a person authorized to

request revocation using the revocation methods detailed in this CP/CPS, revoke a

certificate issued for use within the DigiCert PKI.

 Publish and update CRLs and OCSP responses on a regular basis and in a timely

manner, in accordance with the provisions described in this CP/CPS

 Distribute issued certificates in accordance with the methods detailed in this CP/CPS

 Notify subscribers via email of the imminent expiry of their DigiCert issued certificate

beginning 60 days prior to expiration

1.3.2 Registration authority

Not applicable.

1.3.3 Subscribers

Subscribers of DigiCert services are individuals or companies that use PKI in relation with DigiCert

supported transactions and communications. Subscribers are parties that are identified in a certificate

and hold the private key corresponding to the public key that is listed in a subscriber certificate. Prior to

verification of identity and issuance of a certificate, a Subscriber is an applicant for the services of

DigiCert.

1.3.4 Relying parties

Relying parties use PKI services in relation with DigiCert-issued certificates and reasonably rely on

such certificates and/or digital signatures verifiable with reference to a public key listed in the

certificate.

To verify the validity of a digital certificate they receive, relying parties must refer to the CRL or

OCSP response prior to relying on information featured in a certificate to ensure that DigiCert has

not revoked the certificate. The locations of the CRL distribution point and OCSP responder are

detailed within the certificate.

1.4 Certificate usage

1.4.1. Appropriate certificate uses

Certificates issued pursuant to this CP/CPS may be used for all legal authentication, encryption, access

control, and digital signature purposes, as designated by the key usage and extended key usage fields

found within the certificate. Typically, the following bits are enabled for DigiCert-issued SSL Certificates:

keyEncipherment, digitalSignature, serverAuthentication and clientAuthentication. Code-signing Certificates

have key usage of digital signature and extended key usage for code signing. Email Certificates are

enabled for digital signature, key encipherment, secure email and client authentication.

1.4.2 Prohibited certificate uses

Certificates issued under the provisions of this CP/CPS may not be used for: (i) any application requiring

fail-safe performance such as: (a) the operation of nuclear power facilities, (b) air traffic control systems, (c)

aircraft navigation systems, (d) weapons control systems, or (e) any other system whose failure could lead

to injury, death or environmental damage; or (ii) transactions where applicable law prohibits the use of

encryption or digital certificates for such transactions or where otherwise prohibited by law.

1.5 Policy administration

1.5.1 Organization administering the document

This CP/CPS and related agreements and security policy documents referenced within this

document are maintained by the DigiCert Policy Authority (DCPA). The DCPA may be contacted at:

DigiCert, Inc.

Suite 200

Canopy Building II

355 South 520 West

Lindon, UT 84042 USA

Tel: 1-801-877-2100

Fax: 1-801-705-0481

1.5.2 Contact person

Attn: Legal Counsel

DigiCert, Inc.

Suite 200

Canopy Building II

355 South 520 West

Lindon, UT 84042 USA

1.5.3 Person determining CP/CPS suitability for the policy

Attn: DigiCert Policy Authority

Suite 200

Canopy Building II

355 South 520 West

Lindon, UT 84042 USA

1.5.4 CP/CPS approval procedures

Approval of this CP/CPS and any amendments hereto is by the DCPA. Amendments may be made by

updating this entire document or by addendum. The DCPA determines whether changes to this CP/CPS

require notice or any change in the OID of a certificate issued pursuant to this CP/CPS. See also Section

9.10 and Section 9.12 below.

1.6 Definitions and acronyms

Applicant: The Applicant is an individual or entity applying for a Certificate.

Application Software Vendor: A developer of Internet browser software or other software that

displays or uses certificates and distributes root certificates, such as KDE, Microsoft Corporation,

Mozilla Corporation, Opera Software ASA, and Red Hat, Inc.

Registrar: The global Domain Name Registrar for the applicant. See http://www.icann.org

Relying Party: The Relying Party is an individual or entity that relies upon the information

contained within the Certificate.

Subscriber: The Subscriber is an individual or entity that has been issued a Certificate.

Subscriber Agreement: The Subscriber Agreement is an agreement that must be read and accepted by

an Applicant before applying for a Certificate. The Subscriber Agreement is specific to the Digital Certificate

product type as presented during the product online order process and is available for reference at

www.digicert.com/ssl-cps-repository.htm.

Relying Party Agreement: The Relying Party Agreement is an agreement which must be read and

accepted by a Relying Party prior to validating, relying on or using a Certificate or accessing or using

DigiCert’s Repository and is available for reference at www.digicert.com/ssl-cps-repository.htm.

Acronyms:

CA Certificate Authority or Certification Authority

CP Certificate Policy

CPS Certification Practice Statement

CRL Certificate Revocation List

CSR Certificate Signing Request

DCPA DigiCert Policy Authority

EU European Union

FIPS Federal Information Processing Standard

FTP File Transfer Protocol

HSM Hardware Security Module

HTTP Hypertext Transfer Protocol

ICANN Internet Corporation for Assigned Names and Numbers

IETF Internet Engineering Task Force

ITU International Telecommunication Union

ITU-T ITU Telecommunication Standardization Sector

OCSP Online Certificate Status Protocol

OID Object Identifier

PKI Public Key Infrastructure

PKIX IETF Working Group on Public Key Infrastructure

PKCS Public Key Cryptography Standard

SHA-1 Secure Hashing Algorithm

SSL Secure Sockets Layer

TLS Transport Layer Security

URL Uniform Resource Locator

X.509 The ITU-T standard for Certificates and their corresponding authentication framework

2. PUBLICATION AND REPOSITORY RESPONSIBILITIES

2.1 Repositories

DigiCert publishes this CP/CPS, certificate terms and conditions, the relying party agreement and the

subscriber agreement in the official DigiCert repository at http://www.digicert.com/ssl-cps-repository.htm.

Any revocation data on issued digital certificates is published at location of the CRL distribution point or

OCSP responder specified in the certificate.

2.2 Publication of certification information

The DigiCert certificate services and the DigiCert repository are accessible through several means of

communication:

 On the web: www.digicert.com

 By email to admin@digicert.com

 By mail addressed to: DigiCert, Inc., 355 South 520 West, Lindon, Utah 84042

 By telephone Tel: 1-801-877-2100

 By fax: 1-801-705-0481

DigiCert publishes CRLs to allow relying parties to determine the validity of a certificate issued by

DigiCert. Each CRL contains entries for all revoked un-expired certificates issued and is valid for a

period from 24 hours up to 7 days.

2.3 Time or frequency of publication

CRLs for end-user Subscriber Certificates are issued at least once per day. CRLs for CA Certificates

are issued twice annually, but also whenever a CA Certificate is revoked. Each CRL includes a

monotonically increasing sequence number for each CRL issued.

2.4 Access controls on repositories

Parties (including Subscribers and Relying Parties) accessing the DigiCert Repository

(http://www.digicert.com/ssl-cps-repository.htm

) and other DigiCert publication resources (CRLs and

OCSP) are deemed to have agreed with the provisions of this CP/CPS and any other conditions of usage

that DigiCert may make available. Parties demonstrate acceptance of the conditions of usage of this

CP/CPS by using a DigiCert-issued certificate. Failure to comply with the conditions of usage of the

DigiCert Repositories and web site may result in termination of the relationship between DigiCert and

the party, at DigiCert

’

s sole discretion, and any unauthorized reliance on a certificate shall be at that

party's risk.

3. IDENTIFICATION AND AUTHENTICATION

3.1 Naming

3.1.1 Types of names

Certificates are issued with a non-null subject Distinguished Name (DN) complying with ITU X.500

standards. Non-wildcard SSL Certificates and Unified Communications Certificates are issued using the

Fully Qualified Domain Name (FQDN) name or IP address of the servers, services or applications that have

been confirmed with the Subscriber. DigiCert does issue Certificates for intranet use, and some certificates,

including Unified Communications Certificates, may contain entries in the Subject Alternative Name

extension that are not intended to be relied upon by the general public (e.g., they contain non-standard Top

Level Domains like .local or they are addressed to an IP number space that has been allocated as private by

RFC1918). Wildcard SSL Certificates have a wildcard asterisk character for the server name in the Subject

field. The FQDN or authenticated domain name is placed in the Common Name (CN) attribute of the

Subject field and, when applicable, the Subject Alternative Name extension contains the FQDNs or

authenticated domain names of the servers that are owned or under the control of the Subscriber. For Email

Certificates, the subject DN consists of an email address, common name (not verified – for Subscriber

convenience only), organizational unit, organization name, locality, state, and/or country. The Subject

Alternative Name extension also contains the Subscriber’s email address.

3.1.2 Need for names to be meaningful

DigiCert ensures that the Organization (O) and Organizational Unit (OU) attributes in the Subject field

accurately identify the legal entity that is the subject of the certificate. Similarly, DigiCert uses non-

ambiguous designations in the Issuer field to identify itself as the Issuer of a certificate (e.g., DigiCert Global

CA).

3.1.3 Anonymity or pseudonymity of subscribers

DigiCert does not issue anonymous or pseudonymous certificates.

3.1.4 Rules for interpreting various name forms

Distinguished Names in Certificates shall be interpreted using X.500 standards and ASN.1 syntax. See

RFC 2253 and RFC 2616 for further information on how X.500 distinguished names in certificates are

interpreted as Uniform Resource Identifiers and HTTP references.

3.1.5 Uniqueness of names

Name uniqueness is ensured through the use of the Common Name attribute of the Subject Field, which

contains the authenticated domain name, which is controlled under the auspices of the Internet Corporation

for Assigned Names and Numbers (ICANN).

3.1.6 Recognition, authentication, and role of trademarks

Subscribers shall solely be responsible for the legality of the information they present for use in certificates

issued under this CP/CPS, in any jurisdiction in which such content may be used or viewed. DigiCert

subscribers represent and warrant that when submitting certificate requests to DigiCert and using a domain

and distinguished name (and all other certificate application information) they do not interfere with or

infringe upon the rights of any third parties in any jurisdiction with respect to their trademarks, service

marks, trade names, company names, or any other intellectual property right, and that they are not seeking

to use the domain and distinguished names for any unlawful purpose, including, without limitation, tortious

interference with contract or prospective business advantage, unfair competition, injuring the reputation of

another, or to confuse or mislead any person, whether natural or corporate. Certificate Subscribers shall

defend, indemnify, and hold DigiCert harmless for any loss or damage resulting from any such

interference or infringement and shall be responsible for defending all actions against DigiCert.

3.2 Initial identity validation

3.2.1 Method to prove possession of private key

The applicant must submit a digitally signed PKCS#10 CSR to establish that it holds the private key

corresponding to the public key to be included in a certificate. DigiCert parses the PKCS#10 CSR submitted

by the Applicant in a secure manner and verifies that the Applicant’s digital signature on the PKCS#10 was

created by the private key corresponding to the public key in the PKCS#10 CSR.

3.2.2 Authentication of organization identity

The elements listed in this section are utilized by DigiCert during the certificate issuance process to

authenticate identity. Elements that are already in the public domain (e.g., available via WHOIS, etc.)

are not treated as confidential for purposes of the privacy and protection of data provisions outlined in

Section 9.4

of this CP/CPS.

Information Collected During Certificate Application Process:

 Common Name / Fully Qualified Domain Name / Network Server Name / Public or Private IP

("CN=" in CSR must match registered domain name or IP address)

 Organization name

 Organizational unit

 City, State and Country

 Public Key (from CSR)

 Server Software Identification

 Legal Name of Organization Contact Person

 Email address of Organization Contact Person

 Street Address and Postal Area Code

 DUNS Number (if available)

 Payment Information

 Technical contact full name, email address and telephone (optional)

 Proof of right to use name

 Proof of existence and professional status of the Individual

 Applicant’s acceptance of subscriber agreement

 Any other information DigiCert deems necessary to collect as part of the application process

If the Common Name of the Organization populated automatically from the CSR is not

correct, the applicant is requested to generate a new CSR with the correct Common

Name or DigiCert Registration Personnel may change the data received from the CSR

to ensure that the Common Name in the issued certificate will match the confirmed

Common Name. See Section 4.1.2

. If other organization information or geographic

location information are incorrect, that information is replaced with correct information in

DigiCert's subscriber database.

At DigiCert’s discretion, DigiCert may require one or more of the following documents to assist in verifying

information collected during the application process:

 Articles of Association

 Business License

 Certificate of Compliance

 Certificate of Incorporation

 Certificate of Authority to Transact Business

 Tax Certification

 Corporate Charter

 Official letter from an authorized representative of a government organization

 Official letter from office of Dean or Principal (for Educational Institutions)

DigiCert may accept at its discretion other official documentation supporting an application.

DigiCert may use the services of a third party to confirm information on a business entity that applies for

a digital certificate. DigiCert accepts confirmation from third party organizations, other third party

databases and government entities.

DigiCert may use online data resources to confirm the registration of the applicant company and/or to

verify members of the board, management, and officers and directors representing the company.

DigiCert may use any means of communication at its disposal to ascertain the identity of an

organizational or individual applicant. DigiCert reserves the right to not issue a Certificate in its absolute

discretion.

3.2.3 Authentication of individual identity

The elements listed in this section are utilized by DigiCert during the certificate issuance process to

authenticate identity. Elements that are already in the public domain (e.g., available via WHOIS) are

not treated as confidential for purposes of the privacy and protection of data provisions outlined in

Section 9.4

of this CP/CPS.

At DigiCert’s discretion, DigiCert may require one or more of the following documents to assist in verifying

information collected during the application process:

 Passport

 Driver's License with photo or non-driver’s license identification card with photo;

 Military ID with photo;

 Alien registration card or naturalization certificate (with photograph);

 National health card (in jurisdictions where it contains a photograph); or

 Other similarly trustworthy, valid photo ID issued by a Government Agency.

DigiCert may accept at its discretion other official documentation supporting an application.

Upon receipt of an application for an SSL Certificate and based on the submitted information, DigiCert

will confirm that the information to be published in the certificate is accurate, except for non-verified

subscriber information (e.g., internal host names). For Email Certificates, the identity and/or legal

name of the Subscriber are not verified.

For Personal Email Certificates, DigiCert only verifies the applicant's email address control. An email

is sent to the applicant at the email address to be included in the certificate. The applicant must

respond affirmatively and acknowledge the certificate request at a specified DigiCert URL. The

acknowledgement response establishes that the applicant has control over the email address. The

name, email address and IP address of the individual providing the response are recorded.

In all types of DigiCert certificates, the Subscriber has a continuous obligation to monitor the accuracy

of the submitted information and notify DigiCert of any changes that would affect the validity of the

certificate. Failure to comply with the obligations as set out in the Subscriber Agreement will result in

the revocation of the Subscriber's certificate without further notice to the Subscriber and the Subscriber

shall pay any charges payable but not yet paid under the Subscriber Agreement.

In all cases and for all types of DigiCert certificates, the Subscriber has a continuous obligation to monitor

the accuracy of the submitted information and notify DigiCert of any such changes.

3.2.4 Non-verified subscriber information

DigiCert does not confirm non-DNS-addressable pseudodomains and host names that can only be used

internally within the Subscriber’s enterprise (e.g. mailserver.domain.local, mail, webmail.fi.dom,

autodiscover.company.locale, etc.). However, it does confirm control of registered domains in

accordance with Sections 3.2.5 and 4.2.1.

For Email Certificates, DigiCert does not confirm that the Common Name requested by the applicant is

the legal name of the Subscriber. (Verification procedures for Email Certificates are identified below in

Section 3.2.5). DigiCert is not responsible for non-verified Subscriber information submitted to DigiCert

or the DigiCert directories or otherwise submitted with the intention to be included in a certificate, except

as it may have otherwise been stated in relation to Qualified Certificates issued pursuant to the

requirements of the European Directive 99/93.

3.2.5 Validation of authority

For certificates issued at the request of a Subscriber's agent, both the agent and the Subscriber shall

jointly and severally indemnify and hold harmless DigiCert, and its parent companies, subsidiaries,

directors, officers, employees, agents, and contractors.

The Subscriber shall control and be responsible for the data that an agent of the Subscriber supplies to

DigiCert. The Subscriber must promptly notify DigiCert of any misrepresentations and omissions made by

an agent of the Subscriber. The duty of this article is continuous.

Authority to use domain name or IP address is confirmed by a WHOIS check or a practical demonstration of

domain control to ensure that the Organization owns or controls the Domain Name or IP address.

The authority of the applicant's agent is confirmed with an authorized contact listed with the Domain Name

Registrar ("Registrar") or through a person with administrative or technical control over the domain. The

registered domain administrator or technical contact is asked to confirm the agent’s authorization to receive

a Certificate for the URL requested. Contact information is obtained from WHOIS and reviewed by DigiCert

validation personnel during the application process. After application submittal, authorization from the

domain contact person and/or others such as persons with administrative control over the domain (e.g.

[email protected], [email protected], ad[email protected], etc.) is received through one

of the following methods:

 These persons are contacted via a “Domain Control Validation” email and directed to a secure URL

where at least one of them must enter their name and acknowledge that the person requesting the

certificate has the right and authority to apply for the certificate to allow the application for a

certificate to proceed. The name, email address and IP address of the organizational representative

acknowledging authority are also recorded;

 An Authorization Letter (e.g. Appendix A) is received from the Subscriber as explained in Sections

3.2.2, 4.1.1 and other portions of this CP/CPS;

 A record of one of the foregoing is on file in the account for the Subscriber at DigiCert from a

previous request for that domain (i.e. a Subscriber may pre-authorize its agent to perform all future

renewals of the certificate); or

 Other comparable methods of establishing authority are performed by DigiCert validation personnel.

Procedures similar to those above are also used to validate authority to receive an Enterprise Email

Certificate. Authority and ability to use an email address are confirmed through email and an

acknowledgement made at a secure URL. An email is sent to persons with administrative control over the

domain, e.g. [email protected], administrator@domain.com, [email protected]

, etc., or as

determined by the WHOIS record. The email requests that the person with administrative control over the

domain visit a specified DigiCert URL where they enter their name and acknowledge that the person

requesting the certificate has the right and authority to apply for the certificate. This confirms that the

applicant has the right or permission to acquire a certificate under that domain. Similarly, another email is

sent to the applicant at the email address to be included in the certificate and the applicant for the Enterprise

Email Certificate must respond affirmatively and acknowledge the certificate request at a specified DigiCert

URL, as described for Personal Email Certificates above in Section 3.2.3.

3.3 Identification and authentication for re-key requests

3.3.1 Identification and authentication for routine re-key

At any time prior to certificate expiration, a Subscriber may perform routine re-key by logging into the

Subscriber's customer account using his or her username and password. Through routine re-key, a new

certificate is created with the same certificate contents except for a new Public Key and, optionally, a new,

extended validity period. Re-keying is allowed in accordance with Section 4.7

3.3.2 Identification and authentication for re-key after revocation

A subscriber may re-key following revocation by submitting a new application. Identification and

authentication is performed by using the subscriber’s existing account username and password. The person

with access to the account must be the subscriber or someone authorized to act on behalf of the subscriber.

Otherwise, a new subscriber account must be established in accordance with the identification and

authentication requirements for obtaining an original certificate.

3.4 Identification and authentication for revocation request

See Section 4.9.3 (Procedure for Revocation Request)

4. CERTIFICATE LIFE-CYCLE OPERATIONAL REQUIREMENTS

This Part 4 of the CP/CPS describes the certificate application process.

4.1 Certificate Application

4.1.1 Who can submit a certificate application

Certificate applications must be submitted by the individual who is the subject of the certificate or by

persons who are duly authorized to request a certificate on behalf of the applicant. The WHOIS record

maintained by the domain registrar presumptively indicates who the persons are with authority over the

domain. If an application is being submitted by someone else as the agent of the domain owner, the

agent must submit a Domain Authorization Letter (Appendix A) authorizing the use of the domain.

All Certificate applicants must complete the enrollment process which includes:

 Generate an RSA key pair and submit a valid PKCS#10 CSR to demonstrate to DigiCert

ownership and control of the private key corresponding to the public key of the key pair,

 Make all reasonable efforts to protect the security and integrity of the private key,

 Submit to DigiCert a certificate application, including application information detailed herein,

 Agree to the terms of the Subscriber Agreement, and

 Provide proof of identity through the submission of official documentation as

requested by DigiCert during the enrollment process.

4.1.2 Enrollment process and responsibilities

Below as Figure 1 is a simplified flow chart of the enrollment and certificate issuance process:

Figure 1.

As part of the enrollment process, the Applicant pastes and submits the PKCS#10 CSR into a web

form that is submitted to DigiCert's CA systems. Next, information is collected from the CSR and the

web form and compared with information available in the WHOIS record. (See Section 3.2.2,

Information Collected During Certificate Application Process.)

Applicants must complete the online forms at DigiCert's website. Under special circumstances the

applicant may submit the same information in an application via email; however this process is

available at the sole discretion of DigiCert.

If the application is being made by a third-party for the company listed in the WHOIS record, the

following must also be provided to DigiCert:

 the Domain Authorization Letter (Appendix A), completed and signed by the Registrant

(e.g. a domain owner’s authorized representative) or the Administrative Contact on the

WHOIS record, and

 optionally, at DigiCert’s discretion, a photocopy of that person's photo ID (see Section

3.2.3) may be requested.

DigiCert validation personnel compare the information submitted by the Registrant or the

Administrative Contact to ensure that it is consistent with the information in the WHOIS record.

DigiCert reserves the right to use other comparable and acceptable methods to establish the

authorization of the individual requesting a certificate on behalf of the Subscriber.

4.2 Certificate application processing

4.2.1 Performing Identification and Authentication Functions

During the certificate approval process identified in Figure 1 above, DigiCert employs controls to

validate the identity of the Subscriber and other information featured in the certificate application.

DigiCert validation personnel review the application information provided by the Applicant to ensure

that:

1. The applicant has the right to use the domain name used in the application

 Validated by reviewing domain name ownership records available publicly from the

Domain Name Registrar

 Validation may be supplemented in one of the following ways:

 By communicating with the Administrative Contact listed in the WHOIS record

 By communicating with generic emails which ordinarily are only available to persons

with administrative control over the domain, for example, webmaster@domain.com,

administrato[email protected], admin@domain.com, etc.

 By requiring a practical demonstration of domain control (e.g., requiring the Applicant

to make a specified change to a live page on the given domain).

2. The applicant is an accountable legal entity

 Documentation of organizational existence is obtained from available records, including

those maintained by official government repositories and commercial providers of such

information.

 If necessary, information may be validated by requesting official company documentation,

such as Business License, filed or certified Articles of Incorporation/Organization, Sales

License or other relevant documents. For non-corporate applications, documentation listed

in Section 3.2.3.

The following steps describe the milestones to issue a Certificate:

a) The applicant fills out the online request on DigiCert’s web site and the applicant submits the

required information, including PKCS#10 CSR, email address, common name, organizational

information, address, and billing information.

b) The applicant accepts the Subscriber Agreement.

c) The applicant submits any additional information requested by DigiCert.

d) DigiCert verifies the submitted information using a variety of sources, including third

party databases and government records.

e) The applicant pays the certificate fees.

f) Upon successful validation of the application information, DigiCert may issue the certificate to

the applicant or should the application be rejected, DigiCert will alert the applicant that the

application has been unsuccessful.

4.2.2 Approval or rejection of certificate applications

From time to time, DigiCert may modify the requirements related to application information requested,

based on DigiCert requirements, business context of the usage of certificates, or as it may be required

by law.

Following successful completion of all required validations of a certificate application, DigiCert will

approve an application for a digital certificate.

If the information in the certificate application cannot be confirmed, then DigiCert will reject the

certificate application. DigiCert reserves the right to reject an application for a certificate if, in its own

assessment, the good and trusted name of DigiCert might be tarnished or diminished and may do so

without incurring any liability or responsibility for any loss or expenses arising out of such refusal.

DigiCert reserves the right not to disclose reasons for such a refusal.

Applicants whose applications have been rejected may subsequently re-apply.

4.2.3 Time to process certificate applications

DigiCert makes reasonable efforts to confirm certificate application information and issue a digital

certificate within a reasonable time frame. The time frame is greatly dependent on the applicant

providing the necessary details and documentation in a timely manner. Upon the receipt of the necessary

details and documentation, DigiCert aims to confirm submitted application data and to complete the

validation process and issue or reject a certificate application within two (2) working days.

Occasionally, events outside of the control of DigiCert may delay the issuance process. However,

DigiCert will make every reasonable effort to meet its issuance times and to make applicants aware

of any factors that may affect issuance times.

4.3 Certificate issuance

4.3.1 CA actions during certificate issuance

Upon determining that all required steps have been completed, DigiCert validation personnel approve the

issuance of the certificate. When a certificate is approved, a unique request string is sent to the CA. The

request string contains the relevant parameters for the certificate to be signed (e.g. PKCS #10 CSR, validity

period, etc.) and authentication information. The CA system determines whether issuance is authorized

from the specified CA key pair. If so, the CA system verifies the applicant's signature on the PKCS#10 CSR

and extracts the subject fields and public key for insertion into the certificate template. The certificate is

constructed with additional extensions listed in Section 7.1 (e.g. CRL distribution points, Extended Key

Usage, etc.). The new certificate is then signed with the CA private key and stored inside the database for

retrieval. A ZIP file with the Subscriber's certificate and other certificates in the DigiCert trust chain (i.e. the

root CA certificate and any intermediate CA certificates) is also created and sent to the subscriber.

4.3.2 Notification to subscriber by the CA of issuance of certificate

DigiCert SSL Certificates are delivered in a zip file via email to the email address designated by

the subscriber during the application process. The Subscriber is also provided a hypertext link to

a user id/password-protected location on DigiCert's web server where the subscriber may log in

and download each certificate or the zip file containing all certificates in the trust chain.

4.4 Certificate acceptance

4.4.1 Conduct constituting certificate acceptance

The subscriber is responsible for installing the issued certificate on the subscriber’s computer or

hardware security module according to the subscriber's system specifications. A subscriber is deemed

to have accepted a certificate when:

 The subscriber uses the certificate; or

 30 days pass since issuance of the certificate.

4.4.2 Publication of the certificate by the CA

DigiCert publishes the certificate by delivering it to the subscriber. No other publication or notification to

others occurs.

4.5 Key pair and certificate usage

4.5.1 Subscriber private key and certificate usage

Subscribers shall protect their private keys from access by unauthorized personnel or other third parties.

Subscribers shall use private keys only in accordance with the usages specified in the key usage extension.

See Sections 1.4.1, 6.1.7 and 7.1.

4.5.2 Relying party public key and certificate usage

DigiCert assumes that all user software will be compliant with X.509, the SSL/TLS protocol, and other

applicable standards that enforce the requirements set forth in this CP/CPS and the Certificate Profile

(Appendix B). DigiCert does not warrant that any third party's software will support or enforce such

controls or requirements, and all relying parties are advised to seek appropriate technical or legal

advice.

Parties relying on a digital certificate must adhere to the SSL/TLS protocol and verify a digital signature at

all times by checking the validity of a digital certificate against the relevant CRL or OCSP response

published by DigiCert. Relying Parties are alerted that an unverified digital signature cannot be relied

upon as a valid signature of the Subscriber.

The final decision concerning whether or not to rely on a verified digital signature or the security of an

SSL/TLS session is exclusively that of the relying party. Reliance on a digital signature or SSL/TLS

handshake should only occur if:

 The digital signature or SSL/TLS session was created during the operational period of a

valid certificate and it can be verified by referencing a validated certificate.

 The relying party has checked the revocation status of the certificate by referring to the

relevant CRLs or OCSP responses and the certificate has not been revoked.

 The relying party understands that a digital certificate is issued to a subscriber for a specific

purpose and that the private key associated with the digital certificate may only be used in

accordance with the usages specified in this CP/CPS and contained in the certificate.

Reliance is accepted as reasonable under the provisions made for the relying party under this CP/CPS

and within the Relying Party Agreement. If the circumstances of reliance exceed the assurances

delivered by DigiCert under the provisions made in this CP/CPS, the relying party must obtain

additional assurances.

Any warranties provided herein are valid only if the steps detailed above have been carried out by the

relying party.

Relying on an unverifiable digital signature or SSL/TLS session may result in risks that the relying party

assumes in whole and which DigiCert does not assume in any way.

By means of this CP/CPS, DigiCert has adequately informed relying parties on the usage and

validation of digital signatures and SSL/TLS sessions. This CP/CPS and other documentation are

published by DigiCert in its public repository available at http://www.digicert.com/ssl-cps-repository.htm

are also available via the contact addresses specified in Sections 2.2

and 9.11 of this CP/CPS.

4.6 Certificate renewal

DigiCert makes reasonable efforts to notify subscribers via email of the imminent expiration of a digital

certificate. Beginning sixty (60) days prior to the expiration of the certificate, DigiCert provides the

subscriber with notice of pending expiration.

Time remaining on the expiring certificate is added to the certificate lifetime of the new certificate.

Renewal fees are detailed on the official DigiCert website and within communications sent to

subscribers approaching the certificate expiration date.

Renewal application requirements and procedures are generally the same as those employed for the

application validation and issuance requirements detailed for new customers. DigiCert validation

personnel reconfirm domain name ownership using current WHOIS information. State or other

jurisdictional records are checked to confirm geographic location, company control and good

standing in the jurisdiction of organization. If a company is no longer in good standing, the

certificate is not renewed.

However, for individuals--provided that the individual's location and WHOIS information have not

changed--no additional identity vetting is required.

Some device platforms, e.g. Apache, allow renewed use of the private key. If the Subscriber's other

contact information and private key have not changed, DigiCert can use the same PKCS#10 CSR

as was used for the previous certificate.

Other aspects of certificate renewal (e.g., who may request renewal, notification of issuance,

conduct constituting acceptance, and publication of the certificate) are the same as they are for

initial certificate issuance. See Sections 4.1

, 4.2, 4.3 and 4.4.

4.7 Certificate re-key

Re-keying a certificate means to request a new certificate with the same certificate contents except for

a new Public Key. This might occur, for instance, if the subscriber accidentally deletes the

corresponding private key. A new PKCS#10 CSR must be submitted and a new certificate is issued,

provided that the subscriber maintains a valid account for the domain (see Section 3.3), meets the

application validation and issuance requirements detailed for new customers, or otherwise qualifies

for certificate renewal, above, or certificate modification/re-issue, below. Other aspects of

certificate re-key (e.g., who may request re-key, notification of issuance, conduct constituting

acceptance, and publication of the certificate) are the same as they are for initial certificate

issuance. See Sections 4.1, 4.2, 4.3 and 4.4.

4.8 Certificate modification

DigiCert will reissue or replace a certificate during the certificate's lifetime when the Subscriber's

common name, organization name, device name, or geographic location changes. These

situations might occur as the result of a merger or acquisition, new branding campaign, company

move or network reconfiguration. Then, certificate modification processes may be used to issue a new

certificate provided that the modified information for the subscriber meets the application validation

and issuance requirements detailed for new customers (because the new organizational information

must be confirmed). Except for when only a minor change is made to one of the names in the

certificate, all replaced certificates are revoked because the identifying information in the certificate

is no longer true. Other aspects of certificate modification (e.g., who may request certificate

modification, notification of issuance, conduct constituting acceptance, and publication of the

certificate) are the same as they are for initial certificate issuance. See Sections 4.1

, 4.2, 4.3 and

4.4

4.9 Certificate revocation and suspension

4.9.1 Circumstances for revocation

Revocation of a certificate is to permanently end the operational period of the certificate prior to

reaching the end of its stated validity period. DigiCert will revoke a digital certificate if:

 There has been loss, theft, modification, unauthorized disclosure, or other

compromise of the Private Key associated with the certificate.

 The subscriber or DigiCert has breached a material obligation under this CP/CPS.

 Either the subscriber’s or DigiCert’s obligations under this CP/CPS are delayed or prevented

by a natural disaster, computer or communications failure, or other cause beyond the person's

reasonable control, and as a result another person’s information is materially threatened or

compromised.

 DigiCert receives a lawful and binding order from a government or regulatory body to revoke

the certificate.

 There has been a modification of the information pertaining to the subscriber that is

contained within the certificate.

 For Code-Signing Certificates, DigiCert receives notice or otherwise becomes aware or

suspects that information in the certificate is inaccurate or that someone has used the Code-

Signing Certificate to sign, publish or distribute spyware, Trojans, root kits, browser

hijackers, malware, or other content it deems harmful, malicious, hostile, deceptive or

downloaded onto a user’s system without their consent.

4.9.2 Who can request revocation

The subscriber or other appropriately authorized parties can request revocation of a certificate. The

revocation request should be made by the administrative contact associated with the certificate

application. DigiCert may, if necessary, also request that the revocation request be made by either the

organizational contact, billing contact or domain registrant.

Prior to the revocation of a certificate, DigiCert will verify that the revocation request has been:

 Made by the organization or individual entity that has made the certificate application.

 Made by an entity with legal jurisdiction and authority to request revocation.

DigiCert may revoke any certificate for any reason or no reason.

4.9.3 Procedure for revocation request

DigiCert employs the following procedure for authenticating a revocation request:

 Upon receipt of the revocation request, DigiCert will request confirmation from the known

administrator via out-of-band communication (e.g., telephone, fax, etc.).

 DigiCert validation personnel will then log the identity of the person making the request, the

DigiCert personnel approving the revocation request, and the reason stated for revocation.

 A command to revoke the certificate is processed and the CRL is updated. Upon revocation

of a certificate, the operational period of that certificate is immediately considered terminated.

The serial number of the revoked certificate is placed within the CRL and remains until one

additional CRL is published after the end of the certificate’s validity period.

 Revocation logs are maintained in accordance with the logging procedures covered in

Section 5.5.1.2

of this CP/CPS.

4.9.4 Revocation request grace period

At DigiCert’s discretion, a revocation grace period may be allowed on a case-by-case basis.

4.9.5 Time within which CA must process the revocation request

DigiCert revokes the certificate and issues a CRL as soon as it has determined that a properly supported

revocation request has been made.

4.9.6 Revocation checking requirement for relying parties

Users and relying parties are strongly urged to review the CRL or submit an OCSP request to check for

revoked certificates at all times prior to relying on information featured on a certificate.

4.9.7 CRL issuance frequency

DigiCert manages and makes publicly available directories of revoked certificates through the use of

CRLs. All CRLs issued by DigiCert are X.509v2 CRLs, in particular as profiled in RFC 5280.

DigiCert updates and publishes a new CRL on a 24-hour basis or more frequently under special

circumstances. The CRLs for certificates issued pursuant to this CP/CPS can be accessed via the

URLs contained in the Certificate Profile for that certificate. See Appendix B

DigiCert also publishes a repository of legal notices regarding its PKI services, including this CP/CPS,

agreements and notices referenced within this CP/CPS, as well as any other information it considers

essential to its services. The DigiCert legal repository may be accessed at:

http://www.digicert.com/ssl-cps-repository.htm.

CRLs for end-user Subscriber Certificates are issued at least once per day. CRLs for CA Certificates are

issued twice annually, but also whenever a CA Certificate is revoked.

4.9.8 Maximum latency for CRLs

CRLs are posted to our online repository within a commercially reasonable time after generation. This is

generally done automatically within one minute of generation.

4.9.9 On-line revocation/status checking availability

No stipulation.

4.9.10 On-line revocation checking requirements

A relying party must confirm the validity of a certificate via CRL or OCSP prior to relying on the certificate.

4.9.11 Other forms of revocation advertisements available

None.

4.9.12 Special requirements re key compromise

DigiCert will use commercially reasonable efforts to notify potential Relying Parties if it discovers or suspects

that a CA’s Private Key has been compromised.

4.9.13 Circumstances for suspension

DigiCert does not utilize certificate suspension.

4.9.14 Who can request suspension

Not applicable.

4.9.15 Procedure for suspension request

Not applicable.

4.9.16 Limits on suspension period

Not applicable.

4.10 Certificate status services

Not applicable.

4.11 End of subscription

A Subscriber may terminate its subscription to certificate services by allowing the term of a Certificate or

applicable agreement to expire without renewal. See Section 4.6

. A Subscriber may also voluntarily revoke

a Certificate as explained in Section 4.9

4.12 Key escrow and recovery

DigiCert does not perform escrow or recovery of subscriber private keys.

5. FACILITY, MANAGEMENT, AND OPERATIONAL CONTROLS

This Part 5 of the CP/CPS outlines the security policy, physical and logical access control

mechanisms, service levels and personnel policy in use by DigiCert to provide trustworthy and reliable

CA operations.

5.1 Physical controls

5.1.1 Site location and construction

DigiCert performs its CA operations in a secure data center located in a hosted co-location facility in

the State of Utah, United States of America. The building is constructed of steel and masonry.

DigiCert houses its CA platform inside a locked computer cabinet located inside the data center in a

room with no windows to the outside (the "Data Center"). Customer support and organizational identity

vetting operations take place inside a separate room in another building (the "Support and Vetting

Room"). The physical site where the CA is located operates under a security policy designed to detect,

deter and prevent unauthorized logical or physical access to DigiCert's operations.

5.1.2 Physical access

Three layers of physical security exist between the outside of the building and DigiCert's CA

operations. Access to the secure part of DigiCert facilities is limited through the use of physical

access control and is only accessible to appropriately authorized individuals. DigiCert employees are

issued photo ID access cards imprinted with a serial number to record ingress and egress through

controlled access doors located throughout the facility.

During regular business hours, entry to the building where the CA is housed is accessed through a

reception area with a receptionist on duty. After hours, an access card is required to enter the building.

A security guard is also on duty at the facility 24 hours a day, 7 days a week, and 365 days a year.

Access to all areas beyond the reception area requires the use of an "access" or "pass" card. All

access card use is logged. The building is equipped with motion detecting sensors, and the exterior

and internal passageways of the building are also under constant video surveillance.

5.1.2.1 Data Center

Access to the Data Center housing the CA platform requires two-factor authentication—the individual

must have his or her access card, and the doors to the room are equipped with biometric access

control authenticators. The doors are programmed to require that the same access card be used to

exit the room. (In other words, the card holder must use his card to exit the Data Center in order to

use the card again to re-enter the Data Center.) The security guard's office is located adjacent to

the Data Center door, and the security guard makes rounds to check on the security of the Data

Center at least every half hour.

5.1.2.2 Support and Vetting Room

A controlled access door secures the Support and Vetting Room. The room is also equipped with

motion-activated video surveillance cameras.

5.1.3 Power and air conditioning

The Data Center has primary and secondary power supplies that ensure continuous, uninterrupted

access to electric power. Redundant backup power is provided by battery uninterrupted power

supplies (UPS) and two diesel generators.

Multiple, load-balanced HVAC systems for heating, cooling and air ventilation through perforated-tile,

raised flooring are used to prevent overheating and to maintain a suitable humidity level for sensitive

computer systems located in the Data Center.

5.1.4 Water exposures

The cabinet housing DigiCert's CA systems is located on raised flooring and the Data Center is equipped

with a monitoring system to detect excess moisture.

5.1.5 Fire prevention and protection

The Data Center is equipped with fire suppression.

5.1.6 Media storage

DigiCert performs a daily backup of its computer systems on external hard disks that are rotated and stored

either on-site or off-site according to an established backup rotation schedule. Media designated for

storage on-site are kept in a fire-proof safe located in DigiCert's business offices. See Section 5.1.8 below

for media designated for storage off-site.

5.1.7 Waste disposal

All out-dated or unnecessary copies of printed sensitive information are shredded on-site before disposal.

All electronic media are zeroized (all data is overwritten with binary zeros so as to prevent the recovery of

the data) using programs meeting U.S. Department of Defense requirements.

5.1.8 Off-site backup

On at least a quarterly basis, media designated for storage off-site are taken to a safe deposit box at a

federally insured and regulated financial institution. Media designated by the rotation schedule for storage

on-site are retrieved at that time.

Backup copies of CA Private Keys and activation data are stored off-site at a federally insured financial

institution in separate safe deposit boxes accessible only by trusted personnel. Activation material owned

by the HSM Administrator/Security Officer role is kept in a separate safe deposit box from activation material

owned by personnel filling the Partition Administrator role.

5.2 Procedural controls

5.2.1 Trusted roles

DigiCert personnel in trusted roles include, but are not limited to, CA and system administration personnel

and personnel involved with customer support and vetting. An additional role external to DigiCert is the

Auditor role, performed by DigiCert's auditor in accordance with Part 8 below. The functions and duties

performed by persons in trusted roles are distributed so that one person alone cannot circumvent security

measures or subvert the security and trustworthiness of the PKI.

Operations Manager

The DigiCert Operations Manager is a trusted role. The Operations Manager provides administrative and

management oversight of DigiCert's operations.

CA Administrator

The DigiCert CA Administrator is a trusted role. The CA Administrator is responsible for the installation and

configuration of the CA software, including key generation and key management. The CA Administrator is

responsible for performing and securely storing regular system backups of the CA system.

System Administrator/ System Engineer

The DigiCert System Administrator / System Engineer is a trusted role. The DigiCert System Administrator

is responsible for the installation and configuration of the system hardware, including servers, routers,

firewalls, and network configurations. The System Administrator / Engineer is also responsible for keeping

systems updated with software patches and other maintenance needed for system stability and

recoverability.

Customer Support Personnel

Customer support and vetting personnel serve in a trusted role. They are responsible for interacting with

Applicants and Subscribers, managing the certificate request queue and completing the certificate approval

checklist as identity vetting items are successfully completed.

5.2.2 Number of persons required per task

Handling of CA Private Keys (throughout the entire CA key lifecycle) requires the involvement of at least two

trusted persons. Physical and logical access controls exist for the key activation material in order to

maintain multi-party control over the Hardware Security Modules containing CA Private Keys.

Certificate issuance requires the approval of at least two persons, acting in the Customer Support trusted

role, per above.

Certificate revocation requires the approval of at least two persons, acting in the Customer Support trusted

role, per above.

5.2.3 Identification and authentication for each role

DigiCert personnel in trusted roles must first authenticate themselves to the certificate management system

before they are allowed access to the components of the system necessary to perform their trusted roles.

For normal operations systems, access is controlled by user account and password, IP address subnet, and

SSL. These mechanisms restrict access to those who are authorized and make actions directly attributable

to the individual taking such action while fulfilling the trusted role.

5.2.4 Roles requiring separation of duties

Roles requiring separation of duties include (but are not limited to)

 The validation of information in Certificate Applications

 The approval of Certificate Applications

 The approval of revocation requests

 Most duties related to CA key management or CA administration

5.3 Personnel controls

5.3.1 Qualifications, experience, and clearance requirements

Consistent with this CP/CPS, DigiCert maintains personnel and management practices that provide

reasonable assurance of the trustworthiness and competence of its employees and of the satisfactory

performance of their duties.

5.3.2 Background check procedures

A criminal background check is performed on all trusted personnel before access is granted to DigiCert’s

certificate management system. These checks include, but are not limited to, verification of social

security number, previous residences, driving records and criminal background.

5.3.3 Training requirements

Training of personnel is undertaken via a mentoring process involving senior members of the team

to which they are attached. All new personnel must undergo this training process for at least two

months.

5.3.4 Retraining frequency and requirements

No stipulation.

5.3.5 Job rotation frequency and sequence

No stipulation.

5.3.6 Sanctions for unauthorized actions

Failure of any DigiCert employee or agent to comply with the provisions of this CP/CPS, whether through

negligence or malicious intent, will subject such individual to appropriate administrative and disciplinary

actions, which may include termination as an employee or agent and possible civil and criminal sanctions.

Any trusted personnel cited by management for unauthorized or inappropriate actions shall be immediately

removed from the trusted role pending management review. Subsequent to management review, and

discussion of actions or investigation results with the employee, he or she may be reassigned to a non-

trusted role or dismissed from employment as appropriate.

5.3.7 Independent contractor requirements

Independent contractors who are assigned to perform trusted roles are subject to the duties and

requirements specified for such roles in this Section 5.3 and are subject to sanctions stated above in Section

5.3.6.

5.3.8 Documentation supplied to personnel

Personnel in trusted roles are provided with the documentation necessary to perform the role to which they

are assigned, including a copy of this CP/CPS and all technical and operational documentation needed to

maintain the integrity of DigiCert's CA operations. The information also includes internal system and

security documentation, identity vetting policies and procedures, discipline-specific books, treatises and

periodicals, and other information developed by DigiCert, provided to DigiCert by third parties or available

over the Internet.

5.4 Audit logging procedures

5.4.1 Types of events recorded

DigiCert logs and reviews logs of the following significant CA events:

• CA key life cycle management events:

- Key generation, backup, recovery, and destruction

- HSM initialization, activation, deactivation, zeroization

• CA and Subscriber certificate life cycle management events:

- Certificate Applications, renewal, reissue requests, and revocation

- Success or failure of requests

- Generation and issuance of certificates

• Security-related events including:

- Successful and unsuccessful PKI system access attempts

- PKI and security system actions performed by DigiCert staff

- System crashes, hardware failures and other anomalies

Log entries (automatic and manual) include the following:

• Date and time of the entry

• Type of entry

• Source of entry (customer or staff identity, IP address or other)

• Kind of entry

• Description

5.4.2 Frequency of processing log

On at least a monthly basis, the CA Administrator reviews the logs generated by the CA and vetting system

applications, operating system logs and network device logs. The CA Administrator uses automated tools to

scan for anomalies or specific conditions. These reviews include system and file integrity checks and

vulnerability assessments. A written summary of the monthly review and vulnerability assessment is

prepared that contains findings and recommendations for consideration by DigiCert's Operations Manager.

These written reviews are also made available to DigiCert's auditor.

5.4.3 Retention period for audit log

DigiCert maintains its written monthly summaries of audit log reviews for a period not less than

7 years, or as necessary to comply with applicable laws. Audit logs are also kept until the

completion of the next full CA Web Trust audit.

5.4.4 Protection of audit log

DigiCert personnel are obligated by this CP/CPS to keep the audit logging information generated by them on

their equipment until it is copied by the System Administrator. Audit logs are retained on-site in the office

safe for at least two (2) months and are otherwise protected until after the next CA Web Trust audit.

5.4.5 Audit log backup procedures

No stipulation.

5.4.6 Audit collection system (internal vs. external)

No stipulation.

5.4.7 Notification to event-causing subject

No stipulation.

5.4.8 Vulnerability assessments

See Section 5.4.2.

5.5 Records archival

5.5.1 Types of records archived

5.5.1.1 Certificate Issuance

All certificate issuance records (copies of certificates are held, regardless of their status as

expired or revoked) are retained as records in electronic and/or in paper-based archives for the

period detailed below in Section 5.5.2

. DigiCert may require Applicants to submit appropriate

documentation in support of a certificate application. In such circumstances, DigiCert retains such

records as stated in this CP/CPS.

DigiCert records the following information related to certificate issuance as part of its certificate

approval checklist process:

 the subscriber's PKCS#10 CSR;

 Documentation of organizational existence for organizational applicants as listed in

Section 3.2.2

;

 Documentation of individual identity for individual applicants as listed in Section 3.2.3;

 Verification of organizational existence and status received from third party databases and

government entities (including screen shots of web sites reporting such information);

 Screen shot of WHOIS record for domain name to be listed in the certificate;

 Mailing address validation (if different than those identified through the resources listed

above);

 Letter of authorization for web sites managed by third party agents of Applicants (if

applicable);

 Submission of the certificate application, including acceptance of the Subscriber

Agreement;

 Name, email, and IP address of person acknowledging authority of the

Applicant/Subscriber collected pursuant to Section 3.2.5

;

 Screen shot of web site;

 Other relevant contact information for the Applicant/Subscriber; and

 Copy of Digital Certificates issued.

5.5.1.2 Certificate Revocation

Requests for certificate revocation are recorded and archived, including the name of the person

requesting revocation, the reason for the request and the DigiCert personnel involved in authorizing

revocation. This information and all resulting CRLs are retained as records in electronic archives for

the period detailed in Section 5.5.2

below.

5.5.1.3 Other Information

DigiCert also archives the following information concerning its CA operations:

 Versions of this CP/CPS

 Contractual obligations

 Records of CA System equipment configuration and CA Private Key access and usage

 Security and compliance audit data (see Section 5.4); and

 Any other data or applications necessary to verify the contents of the archive.

5.5.2 Retention period for archive

DigiCert retain the records of DigiCert digital certificates and the associated documentation for a term

of no less than 7 years. The retention term begins on the date of certificate expiration or

revocation.

5.5.3 Protection of archive

Archive records are stored at a secure off-site location and are maintained in a manner that

prevents unauthorized modification, substitution or destruction.

5.5.4 Archive backup procedures

No stipulation.

5.5.5 Requirements for time-stamping of records

System time for DigiCert computers are updated using the Network Time Protocol (NTP) to synchronize

system clocks at least once every eight hours (Windows default). The following archived items on the

certificate approval checklist are time-stamped with the date, the time and the name of the DigiCert

employee checking the information and making the record:

 Organizational status screen shot;

 WHOIS screen shot; and

 Screen shot of web site.

The following records are time-stamped by the certificate administration system when an item is either

automatically received or is checked in by the DigiCert employee:

 Receipt of certificate application;

 Letter of authorization;

 Name, email, and IP address of person acknowledging organizational authority; and

 Other application information, as applicable.

Certificate issuance is time-stamped as a function of the "Valid From" field in accordance with the

X.509 Certificate Profile.

Certificate revocation is time-stamped as a function of the "Revocation Date" field in accordance with

the X.509 Certificate Revocation List Profile.

5.5.6 Archive collection system (internal or external)

Archive information is collected internally by DigiCert.

5.5.7 Procedures to obtain and verify archive information

Upon proper request (see Sections 9.3 and 9.4) and payment of associated costs, DigiCert will create,

package and send copies of archive information. Archived information is provided and verified by reference

to the time stamps associated with such records as described in Section 5.5.5. Access to archive data is

restricted to authorized personnel in accordance with DigiCert's internal security policies.

5.6 Key changeover

Key changeover procedures enable the smooth transition from expiring CA Certificates to new

CA Certificates. Towards the end of the CA Private Key

’

s lifetime, DigiCert ceases using its

expiring CA Private Key to sign Certificates (well in advance of expiration) and uses the old

Private Key only to sign CRLs. A new CA signing key pair is commissioned and all subsequently

issued certificates and CRLs are signed with the new private signing key. Both the old and the

new Key Pairs may be concurrently active. This key changeover process helps minimize any

adverse effects from CA Certificate expiration. The corresponding new CA public key certificate

is provided to subscribers and relying parties through the delivery methods detailed in Section

6.1.4

5.7 Compromise and disaster recovery

5.7.1 Incident and compromise handling procedures

To maintain the integrity of its services, DigiCert implements data backup and recovery procedures.

DigiCert has developed a Disaster Recovery and Business Continuity Plan (DRBCP). DigiCert's CA

system is redundantly configured at its primary facility and is mirrored with a tertiary system located at

a separate, geographically diverse location for automatic failover in the event of a disaster (Disaster

Recovery / Mirror Site). The DRBCP and supporting procedures are reviewed and tested periodically

(at least on an annual basis) and are revised and updated as needed.

At its primary facility, DigiCert maintains a fully redundant CA system. The backup CA at the primary

facility is readily available in the event that the primary CA should cease operation. All critical computer

equipment is housed in a co-location facility run by a commercial data-center, and all of the critical

computer equipment is duplicated within the primary facility.

At the Disaster Recovery / Mirror Site, DigiCert maintains a tertiary CA system that is a mirror of the

primary system for failover in the event that the primary and secondary CAs should cease operation. All

critical computer equipment at the Disaster Recovery / Mirror Site is also housed in a co-location

facility run by a commercial data-center.

Incoming power and connectivity feeds are redundant at both facilities. The redundant equipment is

ready to take over the role of supporting the CA and provides a maximum system outage time (in case

of critical systems failure) of one hour.

5.7.2 Computing resources, software, and/or data are corrupted

DigiCert performs system back-ups on a daily basis. Back-up copies are made of CA Private Keys and are

stored off-site in a secure location. In the event of a disaster whereby the primary and disaster recovery CA

operations become inoperative at DigiCert's primary facility and the Disaster Recovery / Mirror Site, DigiCert

will re-initiate its operations on replacement hardware using backup copies of its software, data and CA

private keys at a comparable, secured facility.

5.7.3 Entity private key compromise procedures

In the event that a DigiCert CA private key has been or is suspected to have been compromised, DigiCert's

Operations Manager will immediately convene an emergency Incident Response Team to assess the

situation to determine the degree and scope of the incident and take appropriate action, including

implementation of DigiCert's Incident Response Plan, outlined as follows:

 Collect all information related to the incident (and if the event is ongoing, ensure that all data

are being captured and recorded);

 Begin investigating incident and determine degree and scope;

 Incident Response Team determines the course of action or strategy that should be taken, (and

in the case of Key Compromise, determining the scope of certificates that must be revoked);

 Contact government agencies, law enforcement, and other interested parties and activate any

other appropriate additional security measures;

 Monitor system, continue investigation, ensure that data is still being recorded as evidence, and

make a forensic copy of data collected;

 Isolate, contain and stabilize the system, applying any short-term fixes needed to return the

system to a normal operating state (contact browser software providers to discuss

revocation/damage mitigation mechanisms if trust anchors may be affected);

 Prepare an incident report that analyzes the cause of the incident and documents the lessons

learned, and circulate the report; and

 Incorporate lessons learned into the implementation of long term solutions and also into the

Incident Response Plan for future use.

Following revocation of a CA Certificate and implementation of the Incident Response Plan, a new CA Key

Pair should be generated and a new CA Certificate should be signed in accordance with procedures outlined

in Part 6

of this CP/CPS.

5.7.4 Business continuity capabilities after a disaster

See Sections 5.7.1 through 5.7.3 above.

5.8 CA or RA termination

In case of termination of CA operations for any reason whatsoever, DigiCert will provide timely notice

and transfer of responsibilities to succeeding entities, maintenance of records, and remedies. Before

terminating its own CA activities, DigiCert will where possible take the following steps:

 Provide subscribers of valid certificates with ninety (90) days notice of its intention to cease

acting as a CA.

 Revoke all certificates that are still un-revoked or un-expired at the end of the ninety (90)-day

notice period without seeking Subscriber’s consent.

 Give timely notice of revocation to each affected Subscriber.

 Make reasonable arrangements to preserve its records according to this CP/CPS.

 Reserve its right to provide succession arrangements for the re-issuance of certificates by a

successor CA that has all relevant permissions to do so and complies with all necessary rules,

while its operation is at least as secure as DigiCert’s.

The requirements of this article may be varied by contract, to the extent that such modifications affect

only the contracting parties.

6. TECHNICAL SECURITY CONTROLS

6.1 Key pair generation and installation

6.1.1 Key pair generation

CA key pair generation is performed by multiple trusted individuals using trustworthy systems and processes

that provide for the security and required cryptographic strength for the generated keys. The cryptographic

hardware used for key generation meets the requirements of FIPS 140-1 level 3. The key generation

ceremony is performed by DigiCert personnel in trusted roles. The activities performed in each key

generation ceremony are recorded, dated, and signed by all individuals involved. Documentation supporting

the integrity of the key generation ceremony and other sensitive key operations is stored and made available

to its auditors for review.

6.1.2 Private key delivery to subscriber

Subscribers are solely responsible for the generation of the private keys used in their certificate

requests. DigiCert does not provide key generation, escrow, recovery or backup facilities.

6.1.3 Public key delivery to certificate issuer

Upon making a certificate application, the Subscriber is solely responsible for generating an RSA key pair

and submitting it to DigiCert in the form of a PKCS#10 CSR. Typically, SSL Certificate requests are

generated using the key generation facilities available in the Subscriber’s webserver software. Delivery of

the public key occurs during the same initial enrollment session where the applicant provides all certificate

application details.

6.1.4 CA public key delivery to relying parties

DigiCert's CA Public Keys are either signed by roots of other CAs whose Public Keys are embedded in the

most predominant web browsers and other trusted software used on the Internet or DigiCert's Public Keys

are securely delivered to software providers to serve as trust anchors in commercial browsers and operating

system root stores, or may be specified in a certificate validation or path discovery policy file. Relying

Parties may also obtain DigiCert's self-signed CA Certificates containing its Public Key from DigiCert's web

site or by email.

6.1.5 Key sizes

DigiCert generates and uses a 2048-bit RSA Key with Secure Hash Algorithm version 1 (SHA-1) to sign the

SSL Certificates and the CRLs that it issues. DigiCert recommends that subscribers submit 1024-bit or

2048-bit keys to DigiCert, and may at its discretion reject certificate requests generated with a key pair size

of 512 bits or less.

6.1.6 Public key parameters generation and quality checking

DigiCert uses cryptographic hardware that has been validated as conforming to FIPS 186-2 and provides

random number generation (http://csrc.nist.gov/cryptval/rng/rngval.html

) and on-board creation of 1024-bit

and 2048-bit key lengths for RSA public key generation (http://csrc.nist.gov/cryptval/dss/rsaval.html

6.1.7 Key usage purposes (as per X.509 v3 key usage field)

DigiCert's CA certificates include key usage extension fields to specify the purposes for which the CA

Certificate may be used and also to technically limit the functionality of the certificate when used with

X.509v3 compliant software. Reliance on key usage extension fields is dependent on correct software

implementations of the X.509v3 standard and is outside of the control of DigiCert. Key usages are

specified in the Certificate Profile set forth in Section 7.1 and in Appendix B.

6.2 Private Key Protection and Cryptographic Module Engineering Controls

6.2.1 Cryptographic module standards and controls

DigiCert's cryptographic modules are validated to the Federal Information Processing Standard (FIPS) 140-2

Level 3 and International Common Criteria (CC) Information Technology Security Evaluation Assurance

Level (EAL) 14169 EAL 4+ Type 3 (EAL 4 Augmented by AVA_VLA.4 and AVA_MSU.3) in the European

Union (EU). When following the CWA 14169 standard, a Subscriber's Private Key associated with the

Public Key should be protected according to Annex III of the EU Directive 1999/93/EC.

6.2.2 Private key (n out of m) multi-person control

DigiCert uses cryptographic hardware that requires the participation of multiple trusted individuals to perform

sensitive CA operations. All tools required to perform these operations are stored securely and cannot be

accessed without information known only to those authorized to use them.

For purposes of disaster recovery, backups of CA private keys are stored securely off-site on specialized

key-storage devices. Re-activation of the backed-up CA private keys requires the same multi-person

participation as when performing other sensitive CA private key operations. This prevents a single individual

from gaining access to the CA private key.

6.2.3 Private key escrow

DigiCert does not escrow private keys.

6.2.4 Private key backup

DigiCert's CA Private Keys are generated and stored inside the cryptographic hardware. Where such keys

must be transferred to other media for backup and disaster recovery purposes, they are transferred and

stored in an encrypted form in specialized key storage devices. All CA private keys are backed up in

accordance with controls described in Section 6.1.1

. Backup tokens containing CA private keys are stored

securely off-site for backup and disaster recovery purposes.

6.2.5 Private key archival

DigiCert does not archive private keys.

6.2.6 Private key transfer into or from a cryptographic module

See Section 6.2.4.

6.2.7 Private key storage on cryptographic module

See Section 6.2.4.

6.2.8 Method of activating private key

DigiCert's CA private keys are activated according to the specifications of the cryptographic hardware

manufacturer during a scripted, videotaped and witnessed key generation or certificate signing

ceremony.

Subscribers are solely responsible for protection of their private keys. DigiCert maintains no involvement

in the generation, protection or distribution of such keys. DigiCert suggests that its subscribers use a

strong password or equivalent authentication method to prevent unauthorized access and usage of the

subscriber private key. See also Section 6.4

6.2.9 Method of deactivating private key

The private keys stored on the HSM device are deactivated via logout procedures on the HSM device when

it is not in use. Root private keys are further deactivated by removing them entirely from the storage

partition on the HSM device. The HSM device is never left in an unlocked, unattended state or otherwise left

active to unauthorized access. When unattended and active, the HSM devices are kept locked inside steel

cabinets inside the Data Center.

Subscribers should also deactivate their private keys via logout and removal procedures when they are not

in use.

6.2.10 Method of destroying private key

Initially, the CA private key can be destroyed by deleting it from all known storage partitions. However, the

HSM device and associated backup tokens are also zeroized according to the specifications of the hardware

manufacturer. This reinitializes the device and overwrites all of the data on it with binary zeros. In cases

when this zeroization or re-initialization procedure fails, DigiCert will crush, shred and/or incinerate the

device in a manner that destroys the ability to extract any private key.

6.2.11 Cryptographic Module Rating

See Section 6.2.1.

6.3 Other aspects of key pair management

6.3.1 Public key archival

DigiCert retains copies of all Public Keys for archival in accordance with Section 5.5.

6.3.2 Certificate operational periods and key pair usage periods

All certificates and corresponding keys shall have maximum validity periods (not exceeding):

Root CA 25 years

Sub CA 15 years

Subscriber 42 months

Pursuant to Section 5.6, DigiCert voluntarily retires its CA Private Keys from signing subordinate certificates

before the periods listed above to accommodate the key changeover process (i.e., the retiring CA Private

Key is still used to sign CRLs to provide validation services for certificates issued with that retiring CA

Private Key.)

6.4 Activation data

6.4.1 Activation data generation and installation

DigiCert activates the cryptographic module containing its CA private keys according to the specifications of

the hardware manufacturer. This method has been evaluated as meeting the requirements of FIPS 140-2

Level 3. The cryptographic hardware is held under two-person control as explained in Section 5.2.2 and

elsewhere in this CP/CPS.

All DigiCert personnel and Subscribers are instructed to use Strong Passwords and to protect PINs and

passwords. DigiCert employees are required by policy to create non-dictionary, alphanumeric passwords

with a minimum length. DigiCert requires that passwords to workstations be changed on a regular basis.

6.4.2 Activation data protection

Activation data for HSM devices are protected as described in section 6.2.2. All DigiCert personnel are

instructed not to write down their password or ever share it with or disclose it to another individual.

6.4.3 Other aspects of activation data

No stipulation.

6.5 Computer security controls

6.5.1 Specific computer security technical requirements

DigiCert's CA servers and support-and-vetting workstations run on trustworthy systems. DigiCert's

computer systems are configured and hardened using industry best practices. All operating systems require

individual identification and authentication for authenticated logins and provide discretionary access control,

access control restrictions to services based on authenticated identity, security audit capability and a

protected audit record for shared resources, self-protection, and process isolation. All systems are scanned

for malicious code and also protected against spyware and viruses.

6.5.2 Computer security rating

No stipulation.

6.6 Life cycle technical controls

6.6.1 System development controls

DigiCert has mechanisms in place to control and monitor the acquisition and development of its CA systems.

Change control processes consist of change control data entries that are processed, logged and tracked for

any non-security-related changes to CA systems, equipment and software. Change requests require the

approval of at least one Senior Administrator (e.g. the Operations Manager, CA Administrator or System

Administrator/ System Engineer) who may not be the same person who submitted the request. In this

manner, DigiCert can verify whether a change to the system has been properly evaluated for risk mitigation

and authorized by management. Vendors are selected based on their reputation in the market, ability to

deliver quality product, and likelihood of remaining viable in the future. Management is involved in the

vendor selection and purchase decision process. Non-PKI hardware and software is purchased generically

without identifying the purpose for which the component will be used. All hardware and software are

shipped under standard conditions with controls in place to ensure delivery of the component directly to a

trusted employee who ensures that the equipment is installed without opportunity for tampering. Some of

the PKI software components used by DigiCert to provide CA services are developed in-house or by

consultants using standard software development methodologies, other software is purchased commercial

off-the-shelf (COTS). Quality assurance is maintained throughout the process through testing and

documentation or by purchasing from trusted vendors, discussed above. Updates of equipment or software

are purchased or developed in the same manner as the original equipment or software and are installed and

tested by trusted and trained personnel.

6.6.2 Security management controls

DigiCert has mechanisms in place to control and monitor the security-related configurations of its CA

systems. Change control processes consist of change control data entries that are processed, logged and

tracked for any security-related changes to CA systems, firewalls, routers, software and other access

controls. In this manner, DigiCert can verify whether a change to the system has been properly evaluated for

risk mitigation and authorized by management.

6.6.3 Life cycle security controls

No stipulation.

6.7 Network security controls

DigiCert's CA system is connected to one internal network and is protected by firewalls, a Demilitarized

Zone (DMZ) and Network Address Translation for all internal IP addresses (e.g., 192.168.x.x). DigiCert's

customer support and vetting workstations are also protected by firewall(s) and only use internal IP

addresses. Root Keys are kept offline and brought online only when necessary to sign certificate-issuing

subordinate CAs or periodic CRLs. Firewalls and boundary control devices are configured to allow access

only by the addresses, ports, protocols and commands required for the trustworthy provision of PKI services

by such systems. It is DigiCert's security policy to block all ports and protocols and open only necessary

ports to enable CA functions. All CA equipment is configured with a minimum number of services and all

unused network ports and services are disabled. All firewall configurations and changes thereto are

documented, authorized, tested and implemented in accordance with change management policies and

procedures. DigiCert's network configuration is available for review on-site by its auditors and consultants

under an appropriate non-disclosure agreement

6.8 Time-stamping

See Section 5.5.5.

7. CERTIFICATE, CRL, AND OCSP PROFILES

Information for interpreting the following Certificate and CRL Profiles may be found in IETF's RFC 2459

(http://www.ietf.org/rfc/rfc2459.txt). DigiCert uses the ITU X.509, version 3 standard to construct digital

certificates for use within the DigiCert PKI. X.509v3 allows a CA to add certain certificate extensions to the

basic certificate structure. DigiCert use a number of certificate extensions for the purposes intended by

X.509v3 as per Amendment 1 to ISO/IEC 9594-8, 1995.

7.1 Certificate profile

7.1.1 Version number(s)

All certificates are X.509 version 3 certificates.

7.1.2 Certificate extensions

See Appendix B.

7.1.3 Algorithm object identifiers

See Appendix B.

7.1.4 Name forms

See Appendix B and Section 3.1.

7.1.5 Name constraints

No stipulation.

7.1.6 Certificate policy object identifier

An object identifier (OID) is a number unique within a specific domain that allows for the unambiguous

identification of a policy, including a Certificate Policy and/or Certification Practice Statement, such as

this CP/CPS. The CP OIDs that incorporate this CP/CPS into a given certificate by reference (which

identify that this CP/CPS applies to a given digital certificate containing the OID) are listed in Section

1.2 and in the Certificate Profile attached as Appendix B.

7.1.7 Usage of Policy Constraints extension

Not applicable.

7.1.8 Policy qualifiers syntax and semantics

DigiCert certificates include a brief statement in the Policy Qualifier field of the Certificate Policy extension

to put all potential Relying Parties on notice of the limitations of liability and other terms and conditions on

the use of the certificate, including those contained in this CP/CPS, which are incorporated by reference

into the certificate. See Appendix B

7.1.9 Processing semantics for the critical Certificate Policies extension

No stipulation.

7.2 CRL profile

7.2.1 Version number(s)

DigiCert issues version two (2) CRLs (i.e. populated with integer "1"). CRLs conform to RFC 5280 and

contain the basic fields listed below:

Version

Issuer Signature Algorithm (sha-1WithRSAEncryption {1 2 840 113549 1 1 5})

Issuer Distinguished Name (DigiCert)

thisUpdate (UTC format)

nextUpdate (UTC format – thisUpdate plus 24 hours)

Revoked certificates list

Serial Number

Revocation Date (see CRL entry extension for Reason Code below)

Issuer’s Signature

7.2.2 CRL and CRL entry extensions

CRL Number (monotonically increasing integer - never repeated)

Authority Key Identifier (same as Authority Key Identifier in certificates issued by CA)

CRL Entry Extensions

Invalidity Date (UTC - optional)

Reason Code (optional)

7.3 OCSP profile

DigiCert operates an OCSP service at http://ocsp.digicert.com/. DigiCert’s OCSP responders conform to

version 1 of RFC 2560.

8. COMPLIANCE AUDIT AND OTHER ASSESSMENTS

The practices specified in this CP/CPS have been designed to meet or exceed the requirements of

generally accepted and developing industry standards including the AICPA/CICA WebTrust Program for

Certification Authorities, ANS X9.79/ISO 21188 PKI Practices and Policy Framework ("CA

WebTrust/ISO 21188"), and other industry standards related to the operation of

CA’s.

8.1 Frequency or circumstances of assessment

An annual audit is performed by an independent external auditor to assess DigiCert's compliance with

CA WebTrust/ISO 21188 criteria.

8.2 Identity/qualifications of assessor

(1) Qualifications and experience. Auditing must be the individual’s or group’s primary business function.

The individual or at least one member of the audit group must be qualified as a Certified Information

Systems Auditor (CISA), an AICPA Certified Information Technology Professional (CPA.CITP), a Certified

Internal Auditor (CIA), or have another recognized information security auditing credential.

(2) Expertise: The individual or group must be trained and skilled in the auditing of secure information

systems and be familiar with public key infrastructures, certification systems, and the like, as well as Internet

security issues (such as management of a security perimeter), operations of secure data centers, personnel

controls, and operational risk management.

(3) Rules and standards: The individual or group must conform to applicable standards, rules, and best

practices promulgated by the American Institute of Certified Public Accountants (AICPA), the Canadian

Institute of Chartered Accountants (CICA), the Institute of Chartered Accountants of England & Wales

(ICAEW), the International Accounting Standards adopted by the European Commission (IAS), Information

Systems Audit and Control Association (ISACA), the Institute of Internal Auditors (IIA), or another qualified

auditing standards body.

(4) Reputation: The firm must have a reputation for conducting its auditing business competently and

correctly.

(5) Disinterest: The firm must have no financial interest, business relationship, or course of dealing that

could foreseeably create a significant bias for or against DigiCert.

8.3 Assessor's relationship to assessed entity

In addition to the foregoing prohibition on conflicts of interest, the assessor shall have a contractual

relationship with DigiCert for the performance of the audit, but otherwise, shall be independent. The

assessor shall maintain a high standard of ethics designed to ensure impartiality and the exercise of

independent professional judgment, subject to disciplinary action by its licensing body.

8.4 Topics covered by assessment

Topics covered by the annual CA WebTrust/ISO 21188 audit include but are not limited to DigiCert's CA

business practices disclosure (i.e., this CP/CPS), the service integrity of DigiCert's CA operations and the

environmental controls that DigiCert implements to ensure a trustworthy system.

8.5 Actions taken as a result of deficiency

If an audit reports any material noncompliance with applicable law, this CP/CPS, or any other contractual

obligations related to the CA services described herein, DigiCert shall develop a plan to cure such

noncompliance, subject to the approval of the DigiCert Policy Authority and any third party to whom DigiCert

is legally obligated to satisfy. In the event DigiCert fails to take appropriate action in response to the report,

then the DigiCert Policy Authority may instruct DigiCert's Operations Manager to revoke the certificates

affected by such non-compliance.

8.6 Communication of results

The results of any inspection or audit are reported to DigiCert management, acting as the DigiCert Policy

Authority, and any appropriate entities, as may be required by law, regulation or agreement. At its option,

DigiCert will provide interested parties with the letter containing the attestation of management and its

auditor’s letter concerning the effectiveness of controls. Otherwise, all audit information will be considered

confidential business information in accordance with Section 9.3.

9. OTHER BUSINESS AND LEGAL MATTERS

This part describes the legal representations, warranties and limitations associated with each of

DigiCert’s digital certificates.

9.1 Fees

9.1.1 Certificate issuance or renewal fees

DigiCert charges Subscriber fees for certificate issuance and renewal. Such fees are detailed on its web

site (http://www.digicert.com

). DigiCert retains its right to effect changes to such fees. DigiCert

customers will be suitably advised of price amendments as detailed in relevant customer agreements.

9.1.2 Certificate access fees

DigiCert reserves the right to establish and charge a reasonable fee for access to its database of

certificates.

9.1.3 Revocation or status information access fees

DigiCert does not charge fees for the revocation of a certificate or for a Relying Party to check the validity

status of a DigiCert issued certificate through the use of Certificate Revocation Lists. DigiCert reserves the

right to establish and charge a reasonable fee for providing certificate status information services via OCSP.

9.1.4 Fees for other services

No stipulation.

9.1.5 Refund policy

DigiCert offers a 30-day refund policy. During a 30-day period (beginning when a certificate is first

issued) the Subscriber may request a full refund for their certificate. Under such circumstances, the

original certificate may be revoked and a refund provided to the applicant. DigiCert is not obliged to

refund a certificate after the 30-day reissue policy period has expired.

9.2 Financial responsibility

9.2.1 Insurance coverage

DigiCert carries at least $1 million in Commercial General Liability insurance coverage.

9.2.2 Other assets

No stipulation.

9.2.3 Insurance or warranty coverage for end-entities

Subscribers should refer to the Subscriber Agreement that they have with DigiCert.

Relying Parties should refer to the Relying Party Agreement. Both are located at:

http://www.digicert.com/ssl-cps-repository.htm.

9.3 Confidentiality of business information

9.3.1 Scope of confidential information

DigiCert keeps the following types of information confidential and maintains reasonable controls to

prevent the exposure of such records to non-trusted personnel.

 All private keys

 Any activation data used to access private keys or gain access to the CA system

 Any business continuity, incident response, contingency, and disaster recovery plans

 Any other security practices, measures, mechanisms, plans, or procedures used to protect the

confidentiality, integrity or availability of information

 Any information held by DigiCert as private information in accordance with Section 9.4

 Any transactional, audit log and archive record identified in Section 5.4 or 5.5, including certificate

application records and documentation submitted in support of certificate applications whether

successful or rejected.

 Transaction records, financial audit records and external or internal audit trail records and any

audit reports (with the exception of an auditor’s letter confirming the effectiveness of the

controls set forth in this CP/CPS)

9.3.2 Information not within the scope of confidential information

Subscriber application data identified herein as being published in a digital certificate is considered

public and not within the scope of confidential information. Subscribers acknowledge that revocation

data of all certificates issued by the DigiCert CA is public information and is periodically published every

24 hours at the DigiCert repository.

9.3.3 Responsibility to protect confidential information

DigiCert observes applicable rules on the protection of personal data deemed by law or the DigiCert

of this CP/CPS) to be confidential.

9.4 Privacy of personal information

9.4.1 Privacy plan

DigiCert has implemented a privacy policy, which is in compliance with this CP/CPS. The DigiCert privacy

policy is published at http://www.digicert.com/digicert-privacy-policy.htm

9.4.2 Information treated as private

Personal information about an individual that is not publicly available in the contents of a certificate or CRL is

considered private.

9.4.3 Information not deemed private

Certificates, CRLs, and personal or corporate information appearing in them are not considered private.

9.4.4 Responsibility to protect private information

Each party shall protect the confidentiality of private information that is in its possession, custody or control

with the same degree of care that it exercises with respect to its own information of like import, but in no

event less than reasonable care, and shall use appropriate safeguards and otherwise exercise reasonable

precautions to prevent the unauthorized disclosure of private information.

9.4.5 Notice and consent to use private information

A party may use private information with the subject's express written consent or as required by applicable

law or court order.

9.4.6 Disclosure pursuant to judicial or administrative process

DigiCert shall not release any confidential information, unless as otherwise required by law, without an

authenticated, reasonably specific request by an authorized party specifying:

 The party to whom DigiCert owes a duty to keep information confidential.

 The party requesting such information.

 A court order, if any.

9.4.7 Other information disclosure circumstances

All personnel in trusted positions handle all information in strict confidence, including those

requirements of US and European law concerning the protection of personal data.

9.5 Intellectual property rights

DigiCert, its strategic partners, and other business associates, each own all their respective

intellectual property rights associated with their databases, web sites, DigiCert digital certificates and

any other publication originating from DigiCert including this CP/CPS.

The word “DigiCert” is a registered trademark of DigiCert, Inc. DigiCert may have other trade and

service marks that have not been registered, but that nonetheless are and shall remain the property of

DigiCert.

Certificates are the exclusive property of DigiCert. DigiCert gives permission to reproduce and distribute

certificates on a non-exclusive, royalty-free basis, provided that they are reproduced and distributed in

full. DigiCert reserves the right to revoke the certificate at any time and at its sole discretion.

Private and public keys are the property of the Subscribers who rightfully issue and hold them.

All secret shares (distributed elements) of the DigiCert private keys remain the respective property

of DigiCert.

9.6 Representations and warranties

9.6.1 CA representations and warranties

Except as expressly stated in this CP/CPS, DigiCert makes no representations or warranties

regarding its public service. DigiCert reserves its right to modify such representations as it sees fit, at

its sole discretion, or as required by law.

Only to the extent specified in the relevant sections of this CP/CPS, DigiCert promises to:

 Comply with this CP/CPS and its internal or published policies and procedures.

 Comply with applicable laws and regulations.

 Provide infrastructure and certification services, including but not limited to the establishment

and operation of the DigiCert Repository and web site for the operation of PKI services.

 Provide trust mechanisms, including a key generation mechanism, key protection, and

secret sharing procedures regarding its own infrastructure.

 Provide prompt notice in case of compromise of its private key(s).

 Provide and validate application procedures for the various types of certificates that it may

make publicly available.

 Issue digital certificates in accordance with this CP/CPS and fulfill its obligations

presented herein.

 Provide support to Subscribers and Relying Parties as described in this CP/CPS.

 Revoke certificates according to this CP/CPS.

 Provide for the expiration and renewal of certificates according to this CP/CPS.

 Make available a copy of this CP/CPS and applicable policies to requesting parties.

 Warrant the accuracy of information published on a Qualified Certificate issued pursuant to the

requirements of the European Directive 99/93.

 Warrant that the signatory held the private key at the time of issuance of a certificate issued

pursuant to the requirements for Qualified Certificates as in the European Directive 99/93.

DigiCert does issue Certificates for email and intranet use and disclaims any and all warranties

(including name verification) for Email Certificates, Unified Communications Certificates, and other

Certificates issued to individuals and intranets (e.g., where a non-public or non-standard Top Level

Domain is used or where they are addressed to IP space allocated as private by RFC1918), which are

not intended to be relied upon by the general public.

The Subscriber also acknowledges that DigiCert has no further obligations under this CP/CPS.

Except as it may have otherwise been stated in relation to Qualified Certificates issued pursuant to

the requirements of the European Directive 99/93, DigiCert:

 Does not warrant the accuracy, authenticity, completeness or fitness of any unverified

information contained in certificates or otherwise compiled, published, or disseminated by or

on behalf of DigiCert except as it may be stated in the relevant product description contained

in this CP/CPS.

 Shall incur no liability for representations of information contained in a certificate except as it

may be stated in the relevant product description in this CP/CPS.

 Does not warrant the quality, functions or performance of any software or hardware device.

 Shall have no liability if it cannot execute the revocation of a certificate for reasons outside

its own control.

9.6.2 RA representations and warranties

Not applicable

9.6.3 Subscriber representations and warranties

Unless otherwise stated in this CP/CPS or the applicable Subscriber Agreement, Subscribers shall

exclusively be responsible:

 To minimize internal risk of private key compromise by ensuring that they and their agents

have adequate knowledge and training on PKI.

 To generate a secure private / public key pair to be used in association with the

certificate request submitted to DigiCert.

 Ensure that the public key submitted to DigiCert is the correct one and corresponds with

the private key used.

 Provide correct and accurate information in communications with DigiCert and alert

DigiCert if any information originally submitted has changed since it was submitted to

DigiCert.

 Read, understand and agree with all terms and conditions in this CP/CPS and

associated policies published in the DigiCert Repository at http://www.digicert.com/ssl-

cps-repository.htm.

 Use DigiCert certificates for legal and authorized purposes in accordance with this

CP/CPS.

 Cease using the certificate if any information in it becomes misleading, obsolete

or invalid.

 Cease using the certificate if it is expired and remove it from any applications and/or

devices it has been installed on.

 Make reasonable efforts to prevent the compromise, loss, disclosure, modification, or

otherwise unauthorized use of the private key corresponding to the public key published in

a DigiCert certificate.

 Request the revocation of a certificate in case of any occurrence that might materially

affect the integrity of the certificate.

 For acts and omissions of partners and agents they use to generate, retain, escrow, or

destroy their private keys

Without limiting other Subscriber obligations stated in this CP/CPS, Subscribers are solely liable for any

misrepresentations they make in certificates to third parties that reasonably rely on the representations

contained therein.

Upon accepting a certificate the Subscriber represents, warrants and covenants to DigiCert, to

Application Software Vendors, and to Relying Parties that at the time of acceptance and until further

notice:

 Transactions effectuated using the private key corresponding to the public key included

in the certificate are the acts of the Subscriber and that the certificate has been accepted

and is properly operational at that time and until further notice to DigiCert.

 The Subscriber retains control of the Subscriber’s private key, uses a trustworthy system, and

takes reasonable precautions to prevent its loss, disclosure, modification, or unauthorized

use and that no unauthorized person has ever had access to the Subscriber’s private key.

 All representations made by the Subscriber to DigiCert regarding the information

contained in the certificate are accurate and true to the best of the Subscriber

’

knowledge or to the extent that the Subscriber receives notice of such information, the

Subscriber shall act promptly to notify DigiCert of any material inaccuracies contained in

the certificate.

 The certificate is used exclusively for authorized and legal purposes, consistent with this

CP/CPS, and that the Subscriber will use the certificate only in conjunction with the entity

named in the organization field of the certificate

 The Subscriber agrees with the terms and conditions of this CP/CPS and other

agreements and policy statements of DigiCert.

 The Subscriber abides by the laws applicable in his/her country or territory including those

related to intellectual property protection, fair trade practices and computer fraud and abuse,

 The Subscriber complies with all export laws and regulations for dual usage goods as may

be applicable.

 For Code-Signing Certificates, it will not use the Certificate to digitally sign hostile code,

spyware or other malicious software; to disable antispyware or other protective measures;

to provide false or misleading descriptions of the signed code’s functions or features, or to

use the Code-Signing Certificate in violation of applicable laws or the Subscriber

Agreement.

 For SSL Certificates and Unified Communications Certificates, it will install the Certificate

only on the server accessible at the domain name listed on the Certificate, and will use the

Certificate solely in compliance with all applicable laws, solely for authorized company

business, and solely in accordance with the Subscriber Agreement.

9.6.4 Relying party representations and warranties

A Relying Party accepts that in order to reasonably rely on a DigiCert certificate, the Relying Party

must:

 Make reasonable efforts to acquire sufficient knowledge on using digital

certificates and PKI.

 Study the limitations to the usage of digital certificates and be aware through the

Relying Party Agreement of the limitations of liability of DigiCert for reliance on a

DigiCert-issued certificate.

 Read and agree with the terms of the DigiCert Relying Party Agreement.

 Verify the DigiCert certificates by referring to the relevant CRL or OCSP and also the

CRLs or OCSP of any intermediate CA or root CA as available through DigiCert's

repository.

 Trust a DigiCert certificate only if it is valid and has not been revoked or has

expired.

 Take any other reasonable steps to minimize the risk of relying on a digital signature

created by an invalid, revoked, expired or rejected certificate; and finally,

 Rely on a DigiCert certificate, only as may be reasonable under the

circumstances, given:

 any legal requirements for the identification of a party, the protection of the

confidentiality or privacy of information, or the legal enforceability of the

transaction in accordance with any laws that may apply;

 all facts listed in the Certificate, or of which the Relying Party has or should have

notice, including this CP/CPS;

 the economic value of the transaction or communication, if applicable;

 the potential losses or damage which might be caused by an erroneous

identification or a loss of confidentiality or privacy of information in the

application, transaction or communication;

 the applicability of the laws of a particular jurisdiction, including the jurisdiction

specified in an agreement with the Subscriber or in this CP/CPS;

 the Relying Party’s previous course of dealing with the Subscriber, if any;

 usage of trade, including experience with computer-based methods of trade; and

 any other indicia of reliability or unreliability, or other facts of which the Relying

Party knows or has notice, pertaining to the Subscriber and/or the application,

communication or transaction.

9.6.5 Representations and Warranties of Other Participants

Not applicable.

9.7 Disclaimers of warranties

DigiCert disclaims all warranties and obligations of any type, including any warranty of fitness for a particular

purpose, and any warranty of the accuracy of unverified information provided, save as contained herein and

as cannot be excluded at law. In no event and under no circumstances (except for DigiCert's own fraud or

willful misconduct) shall DigiCert be liable for any or all of the following and the results thereof:

 Any indirect, incidental or consequential damages.

 Any costs, expenses, or loss of profits.

 Any death or personal injury.

 Any loss of data.

 Any other indirect, consequential or punitive damages arising from or in connection with the

use, delivery, license, performance or non-performance of certificates or digital signatures.

 Any other transactions or services

offered within the framework of this CP/CPS.

 Any other damages except for those due to reliance, on the information featured on a

certificate, or on the verified information in a certificate.

 Any liability incurred in this case or any other case if the fault in this verified

information is due to fraud or willful misconduct of the applicant.

 Any liability that arises from the usage of a certificate that has not been issued or used in

conformance with this CP/CPS.

 Any liability that arises from the usage of a certificate that is not valid.

 Any liability that arises from usage of a certificate that exceeds the limitations in usage

and value and transactions stated upon it or in this CP/CPS.

 Any liability that arises from security, usability, integrity of products, including

hardware and software a Subscriber uses.

 Any liability that arises from compromise of a Subscriber’s

private key.

9.8 Limitations of liability

DigiCert certificates may only be used in connection with data transfer and transactions having a US

dollar (US$) value of less than $1 million. In no event and under no circumstances (except for fraud or

willful misconduct) will the aggregate liability of DigiCert, whether jointly or severally, to all parties

including without any limitation a Subscriber, an applicant, a recipient, or a Relying Party for all digital

signatures and transactions related to such certificate exceed $1 million.

9.9 Indemnities

By accepting or using a certificate, each Subscriber and Relying Party agrees to indemnify and hold

DigiCert, as well as any of its respective parent companies, subsidiaries, directors, officers, employees,

agents, and contractors harmless from any acts or omissions resulting in liability, any loss or damage,

and any suits and expenses of any kind, including reasonable attorneys’ fees, that DigiCert, and/or the

above mentioned parties may incur, that are caused by the use or publication of a certificate, and that

arises from that party's: (i) misrepresentation or omission of material fact in order to obtain or use a

Certificate, whether or not such misrepresentation or omission was intentional; (ii) violation of the

Subscriber Agreement, Relying Party Agreement, this CP/CPS, or any applicable law; (iii) compromise

or unauthorized use of a Certificate or Private Key caused by the negligence of that party and not by

DigiCert (unless prior to such unauthorized use DigiCert has received an authenticated request to

revoke the Certificate); or (iv) misuse of the Certificate or Private Key.

9.10 Term and termination

9.10.1 Term

This CP/CPS and any amendments hereto shall become effective upon publication in the Repository and

shall remain in effect perpetually until terminated in accordance with this Section 9.10.

9.10.2 Termination

This CPS as amended from time to time shall remain in force until it is replaced by a new version or is

otherwise terminated in accordance with this Section 9.10.

9.10.3 Effect of termination and survival

The conditions and effect resulting from termination of this document will be communicated via the DigiCert

Repository (http://www.digicert.com/ssl-cps-repository.htm

) upon termination. That communication will

outline the provisions that may survive termination of this CP/CPS and remain in force. The responsibilities

for protecting business confidential and private personal information shall survive termination, and the terms

and conditions for all existing Certificates shall remain valid for the remainder of the Validity Periods of such

Certificates.

9.11 Individual notices and communications with participants

DigiCert accepts notices related to this CP/CPS by means of digitally signed messages or in paper

form addressed to the locations specified in Section 2.2

of this CPS. Upon receipt of a valid, digitally

signed acknowledgment of receipt from DigiCert, the sender of the notice shall deem their

communication effective. The sender must receive such acknowledgment within five (5) days, or else

written notice must then be sent in paper form through a courier service that confirms delivery or via

certified or registered mail, postage prepaid, return receipt requested, addressed to the street

address specified in Section 2.2.

9.12 Amendments

9.12.1 Procedure for amendment

Revisions not denoted “significant” shall be those deemed by the DigiCert Policy Authority to have

minimal or no impact on Subscribers and Relying Parties using certificates and CRL’s issued by

DigiCert. Such revisions may be made without notice to users of this CP/CPS and without changing the

version number of this CP/CPS. Controls are in place to reasonably ensure that the DigiCert CPS is

not amended and published without the prior authorization of the DigiCert Policy Authority.

9.12.2 Notification mechanism and period

DigiCert will notify all interested persons of proposed changes, the final date for receipt of comments, and

the proposed effective date of proposed changes on its Web site. There is no fixed notice and comment

period. Editorial and typographical corrections, changes to contact details and other minor changes that do

not materially impact the parties may be changed without notice and are not subject to the notification

requirements herein.

9.12.3 Circumstances under which OID must be changed

If a change in DigiCert's Certificate Policy or Certification Practices is determined by the DigiCert Policy

Authority to warrant a change in the currently specified OID for a particular type of certificate, then the

revised version of this CP/CPS will also contain a revised OID for that type of certificate.

9.13 Dispute resolution provisions

Before resorting to any dispute resolution mechanism including adjudication or any type of Alternative

Dispute Resolution (including without exception mini-trial, arbitration, mediation, umpire, binding

expert’s advice, co-operation monitoring and normal expert’s advice) the parties agree to notify

DigiCert of the dispute with a view to seek dispute resolution.

9.14 Governing law

This CP/CPS is governed by, and construed in accordance with the law of the State of Utah. This choice of

law is made to ensure uniform interpretation of this CP/CPS, regardless of the place of residence or place

of use of DigiCert digital certificates or other products and services. Utah law applies in all of DigiCert's

commercial or contractual relationships in which this CP/CPS may apply or quoted implicitly or explicitly in

relation to DigiCert products and services where DigiCert acts as a provider, supplier, beneficiary receiver

or otherwise.

Each party, including DigiCert, Subscribers and Relying Parties, irrevocably agree that a tribunal (court

or arbitration body) located in Utah shall have exclusive jurisdiction to hear and decide any suit, action

or proceedings, and to settle any disputes, which may arise out of or in connection with this CP/CPS or

the provision of DigiCert PKI services.

9.15 Compliance with applicable law

This CPS shall be subject to applicable national, state, local and foreign laws, rules, regulations, ordinances,

decrees and orders including but not limited to restrictions on exporting or importing software, hardware or

technical information.

9.16 Miscellaneous provisions

9.16.1 Entire agreement

This CP/CPS shall be interpreted consistently within the boundaries of business customs,

commercial reasonableness under the circumstances, and intended usage of the product or service

described herein. In interpreting this CP/CPS the parties shall also take into account the

international scope and application of the services and products of DigiCert as well as the principle of

good faith as it is applied in commercial transactions.

The headings, subheadings, and other captions in this CP/CPS are intended for convenience and

reference only and shall not be used in interpreting, construing, or enforcing any of the provisions of

this CP/CPS.

Appendices and definitions to this CP/CPS are for all purposes an integral and binding part of the

CP/CPS. If/when this CP/CPS conflicts with other rules, guidelines, or contracts, this CP/CPS shall

prevail and bind the Subscriber and other parties. If there is any conflict between the sections of this

CP/CPS and any other document that relate to DigiCert, then the sections benefiting DigiCert and

preserving DigiCert’s best interests, at DigiCert’s sole determination, shall prevail and bind the

applicable parties.

9.16.2 Assignment

Parties to this CP/CPS may not assign any of their rights or obligations under this CP/CPS or applicable

agreements without the written consent of DigiCert.

9.16.3 Severability

If any provision of this CP/CPS or the application thereof, is for any reason and to any extent found to

be invalid or unenforceable, the remainder of this CP/CPS (and the application of the invalid or

unenforceable provision to other persons or circumstances) shall remain in full force and

effect and shall

be interpreted in such manner as to implement the original intention of the parties to the fullest extent

possible.

Each and every provision of this CP/CPS that provides for a limitation of liability, disclaimer of or

limitation upon any warranties or other obligations, or exclusion of damages is intended to be severable

and independent of any other provision and is to be enforced as such.

9.16.4 Enforcement (attorneys' fees and waiver of rights)

DigiCert reserves the right to seek indemnification and attorneys' fees from any party related to that

party's conduct described in Section 9.9

. Except where an express time frame is set forth in this

CP/CPS, no delay or omission by any party to exercise any right, remedy or power it has under this

CP/CPS shall impair or be construed as a waiver of such right, remedy or power. A waiver by any

party of any breach or covenant in this CP/CPS shall not be construed to be a waiver of any other or

succeeding breach or covenant. Bilateral agreements between DigiCert and the parties to this

CP/CPS may contain additional provisions governing enforcement.

9.16.5 Force Majeure

DIGICERT INCURS NO LIABILITY IF IT IS PREVENTED, FORBIDDEN OR DELAYED FROM

PERFORMING, OR OMITS TO PERFORM, ANY ACT OR REQUIREMENT BY REASON OF: ANY

PROVISION OF ANY APPLICABLE LAW, REGULATION OR ORDER; CIVIL, GOVERNMENTAL OR

MILITARY AUTHORITY; THE FAILURE OF ANY ELECTRICAL, COMMUNICATION OR OTHER SYSTEM

OPERATED BY ANY OTHER PARTY OVER WHICH IT HAS NO CONTROL; FIRE, FLOOD, OR OTHER

EMERGENCY CONDITION; STRIKE; ACTS OF TERRORISM OR WAR; ACT OF GOD; OR OTHER

SIMILAR CAUSES BEYOND ITS REASONABLE CONTROL AND WITHOUT ITS FAULT OR

NEGLIGENCE.

9.17 Other provisions

This CP/CPS shall be binding upon the successors, executors, heirs, representatives, administrators,

and assigns, whether express, implied, or apparent, of the parties that this CP/CPS applies to. The

rights and obligations detailed in this CP/CPS are assignable by the parties, by operation of law

(including as a result of merger or a transfer of a controlling interest in voting securities) or otherwise,

provided such assignment is undertaken consistent with this CP/CPS articles on termination or

cessation of operations, and provided that such assignment does not effect a novation of any other

debts or obligations the assigning party owes to other parties at the time of such assignment.

Appendix A

Domain Authorization Letter

Dear DigiCert,

________________________ (Certificate Applicant) recently submitted a request to DigiCert to issue one

or more Digital Certificate(s) under Certificate Applicant's name. Certificate Applicant desires to install the

Digital Certificate(s) on its server(s) for the domain(s) listed below to enable secure communication with

such server(s).

I confirm and warrant that:

* The Organization requesting the certificate (Certificate Applicant) is: ___________________________

* The domain names to be included in the certificate is/are: __________________________

* Registrant of the Domain(s) is: ________________________

I am the registrant (and/or employed by the Registrant) of the domain name referenced above, and am duly

authorized to sign this Domain Authorization Letter and to deal with all matters related to the registration of

the Domain with DigiCert as a Certification Authority.

On behalf of Registrant, I confirm that Registrant has granted and/or acknowledges that Certificate Applicant

has the right to use the domain(s) referenced above in connection with its business and as common

name(s) in Digital Certificate(s) to be issued by DigiCert. Registrant authorizes the Certificate Applicant to

request Digital Certificates for any subdomain on the domain(s) listed above (for example,

www.___________________________, mail.___________________________, and

secure.___________________________, etc.)

DigiCert may rely on this authorization for any subsequent certificate renewals and/or additional certificates

obtained by the Certificate Applicant until such time as this authorization is revoked.

To revoke the rights herein appointed, the registrant must contact DigiCert, Inc. by written notification using

one of the following methods: 1) Email to admin@digicert.com or 2) Mail to DigiCert, Inc. (Attention: Legal) -

355 South 520 West - Canopy Building II, Suite 200 - Lindon, Utah 84042.

Registrant agrees that in connection with any breach by it of any representation or obligation under (a) this

letter, (b) any domain name registration agreement between Registrant and the Registry governing the

Domain name registration, or (c) any assignment or other transfer of the domain name to a third party, it will

indemnify DigiCert and its officers, directors and agents for any losses, costs, damages, and attorneys' fees

that arise out of Registrant's breach. Upon appropriate notice, Registrant shall also defend, at its expense,

any claim brought against one or more of these parties based on or arising out of Registrant's breach.

Regards,

Full Name: __________________________

Signature: __________________________

Job Title: ___________________________

[ This document should be faxed to +1-801-705-0481]

Appendix B

Certificate Profiles

1. DigiCert's Root Certificates

a. DigiCert's High Assurance EV Root CA

Field Value

Version V3 (2)

Serial Number Unique number

Issuer Signature Algorithm

sha-1WithRSAEncryption {1 2 840 113549 1 1 5}

Issuer Distinguished Name Unique X.500 CA DN.

CN = DigiCert High Assurance EV Root CA

OU = www.digicert.com

O = DigiCert Inc

C = US

Validity Period 25 years expressed in UTC format

Subject Distinguished Name CN = DigiCert High Assurance EV Root CA

OU = www.digicert.com

O = DigiCert Inc

C = US

Subject Public Key

Information

2048 bit RSA key modulus, rsaEncryption {1 2 840 113549 1 1 1}

Issuer’s Signature

sha-1WithRSAEncryption {1 2 840 113549 1 1 5}

Extension Value

Authority Key Identifier c=no; b1 3e c3 69 03 f8 bf 47 01 d4 98 26 1a 08 02 ef 63 64 2b c3

Subject Key Identifier c=no; b1 3e c3 69 03 f8 bf 47 01 d4 98 26 1a 08 02 ef 63 64 2b c3

Key Usage

c=yes; Digital Signature, Certificate Signing , Off-line CRL Signing,

CRL Signing (86)

Extended Key Usage Not present

Certificate Policies Not present

Basic Constraints c=yes; cA=True; path length constraint is absent

b. DigiCert Global Root CA

Field Value

Version V3 (2)

Serial Number Unique number

Issuer Signature Algorithm

sha-1WithRSAEncryption {1 2 840 113549 1 1 5}

Issuer Distinguished Name Unique X.500 CA DN.

CN = DigiCert Global Root CA

OU = www.digicert.com

O = DigiCert Inc

C = US

Validity Period 25 years expressed in UTC format

Subject Distinguished Name CN = DigiCert Global Root CA

OU = www.digicert.com

O = DigiCert Inc

C = US

Subject Public Key Info 2048 bit RSA key modulus, rsaEncryption {1 2 840 113549 1 1 1}

Issuer’s Signature

sha-1WithRSAEncryption {1 2 840 113549 1 1 5}

Extension Value

Authority Key Identifier c=no; 03 de 50 35 56 d1 4c bb 66 f0 a3 e2 1b 1b c3 97 b2 3d d1 55

Subject Key Identifier c=no; 03 de 50 35 56 d1 4c bb 66 f0 a3 e2 1b 1b c3 97 b2 3d d1 55

Key Usage

c=yes; Digital Signature, Certificate Signing , Off-line CRL Signing ,

CRL Signing (86)

Extended Key Usage Not present

Certificate Policies Not present

Basic Constraints c=yes; cA=True; path length constraint is absent

c. DigiCert Assured ID Root CA

Field Value

Version V3 (2)

Serial Number Unique number

Issuer Signature Algorithm

sha-1WithRSAEncryption {1 2 840 113549 1 1 5}

Issuer Distinguished Name Unique X.500 CA DN.

CN = DigiCert Assured ID Root CA

OU = www.digicert.com

O = DigiCert Inc

C = US

Validity Period 25 years expressed in UTC format

Subject Distinguished Name CN = DigiCert Assured ID Root CA

OU = www.digicert.com

O = DigiCert Inc

C = US

Subject Public Key Info 2048 bit RSA key modulus, rsaEncryption {1 2 840 113549 1 1 1}

Issuer’s Signature

sha-1WithRSAEncryption {1 2 840 113549 1 1 5}

Extension Value

Authority Key Identifier c=no; 45 eb a2 af f4 92 cb 82 31 2d 51 8b a7 a7 21 9d f3 6d c8 0f

Subject Key Identifier c=no; 45 eb a2 af f4 92 cb 82 31 2d 51 8b a7 a7 21 9d f3 6d c8 0f

Key Usage

c=yes; Digital Signature, Certificate Signing , Off-line CRL Signing ,

CRL Signing (86)

Extended Key Usage Not present

Certificate Policies Not present

Basic Constraints c=yes; cA=True; path length constraint is absent

2. DigiCert's Intermediate CA Certificates

a. DigiCert High Assurance EV CA-2 (prior to 4/2/2007) and

DigiCert High Assurance CA-3 (after 4/2/2007)

Field Value

Version V3 (2)

Serial Number Unique number

Issuer Signature Algorithm

sha-1WithRSAEncryption {1 2 840 113549 1 1 5}

Issuer Distinguished Name Unique X.500 CA DN.

CN = DigiCert High Assurance EV Root CA

OU = www.digicert.com

O = DigiCert Inc

C = US

Validity Period 15 years expressed in UTC format

Subject Distinguished Name

CN = DigiCert High Assurance EV CA-2, or

CN = DigiCert High Assurance CA-3

OU = www.digicert.com

O = DigiCert Inc

C = US

Subject Public Key Info 2048 bit RSA key modulus, rsaEncryption {1 2 840 113549 1 1 1}

Issuer’s Signature

sha-1WithRSAEncryption {1 2 840 113549 1 1 5}

Extension Value

Authority Key Identifier c=no; b1 3e c3 69 03 f8 bf 47 01 d4 98 26 1a 08 02 ef 63 64 2b c3

Subject Key Identifier c=no;

92 4d 68 8e d9 b0 42 f1 c9 2c a2 ef b7 07 ad 57 92 cc 85 11 (CA-2)

50 ea 73 89 db 29 fb 10 8f 9e e5 01 20 d4 de 79 99 48 83 f7 (CA-3)

Key Usage

c=yes; Digital Signature, Certificate Signing , Off-line CRL Signing ,

CRL Signing (86)

Extended Key Usage

Not present

Netscape Cert Type

CA-2 SSL Client Authentication, SSL Server Authentication, SMIME

(e0)

CA-3 – Not present

Certificate Policies c=no; Certificate Policies; {2.16.840.1.114412.1.3.0.2}

[1,1] Policy Qualifier Info:

Policy Qualifier Id=CPS

Qualifier: http://www.digicert.com/ssl-cps-repository.htm

[1,2]Policy Qualifier Info:

Policy Qualifier Id=User Notice

Qualifier:

Notice Text= Any use of this Certificate constitutes

acceptance of the DigiCert CP/CPS and the Relying Party Agreement

which limit liability and are incorporated herein by reference.

Basic Constraints c=yes; cA=True; path length constraint is absent

Authority Information Access

c=no; Access Method= - Id-ad-ocsp (On-line Certificate Status Protocol

- 1.3.6.1.5.5.7.48.1); URL =http://ocsp.digicert.com

CRL Distribution Points c = no;

CRL HTTP URL =

http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl

CRL HTTP URL =

http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl

b. DigiCert Global CA-1

Field Value

Version V3 (2)

Serial Number Unique number

Issuer Signature Algorithm

sha-1WithRSAEncryption {1 2 840 113549 1 1 5}

Issuer Distinguished Name Unique X.500 CA DN.

CN = DigiCert Global Root CA

OU = www.digicert.com

O = DigiCert Inc

C = US

Validity Period 15 years expressed in UTC format

Subject Distinguished Name

CN = DigiCert Global CA-1

OU = www.digicert.com

O = DigiCert Inc

C = US

Subject Public Key Info 2048 bit RSA key modulus, rsaEncryption {1 2 840 113549 1 1 1}

Issuer’s Signature

sha-1WithRSAEncryption {1 2 840 113549 1 1 5}

Extension Value

Authority Key Identifier c=no; 03 de 50 35 56 d1 4c bb 66 f0 a3 e2 1b 1b c3 97 b2 3d d1 55

Subject Key Identifier c=no; 1e 1c 88 15 aa f2 46 d0 05 da e9 1e dc 22 bd a8 97 de 0f b2

Key Usage

c=yes; Digital Signature, Certificate Signing , Off-line CRL Signing ,

CRL Signing (86)

Extended Key Usage

c=no;

Server Authentication (1.3.6.1.5.5.7.3.1)

Client Authentication (1.3.6.1.5.5.7.3.2)

Code Signing (1.3.6.1.5.5.7.3.3)

Secure Email (1.3.6.1.5.5.7.3.4)

Time Stamping (1.3.6.1.5.5.7.3.8)

Certificate Policies c=no; Certificate Policies; {2.16.840.1.114412.1.3.0.3}

[1,1] Policy Qualifier Info:

Policy Qualifier Id=CPS

Qualifier: http://www.digicert.com/ssl-cps-repository.htm

[1,2]Policy Qualifier Info:

Policy Qualifier Id=User Notice

Qualifier:

Notice Text= Any use of this Certificate constitutes

acceptance of the DigiCert CP/CPS and the Relying Party Agreement

which limit liability and are incorporated herein by reference.

Basic Constraints c=yes; cA=True; path length constraint is absent

Authority Information Access

c=no; Access Method= - Id-ad-ocsp (On-line Certificate Status Protocol

- 1.3.6.1.5.5.7.48.1); URL =http://ocsp.digicert.com

CRL Distribution Points c = no;

CRL HTTP URL =http://crl3.digicert.com/DigiCertGlobalRootCA.crl

CRL HTTP URL =http://crl4.digicert.com/DigiCertGlobalRootCA.crl

c. DigiCert Assured ID CA-1

Field Value

Version V3 (2)

Serial Number Unique number

Issuer Signature Algorithm

sha-1WithRSAEncryption {1 2 840 113549 1 1 5}

Issuer Distinguished Name Unique X.500 CA DN.

CN = DigiCert Assured ID Root CA

OU = www.digicert.com

O = DigiCert Inc

C = US

Validity Period 15 years expressed in UTC format

Subject Distinguished Name CN = DigiCert Assured ID CA-1

OU = www.digicert.com

O = DigiCert Inc

C = US

Subject Public Key Info 2048 bit RSA key modulus, rsaEncryption {1 2 840 113549 1 1 1}

Issuer’s Signature

sha-1WithRSAEncryption {1 2 840 113549 1 1 5}

Extension Value

Authority Key Identifier c=no; 45 eb a2 af f4 92 cb 82 31 2d 51 8b a7 a7 21 9d f3 6d c8 0f

Subject Key Identifier c=no; 15 00 12 2b 13 98 b2 99 07 ed 1e df a2 be 57 0d 2b 67 02 cd

Key Usage

c=yes; Digital Signature, Certificate Signing , Off-line CRL Signing ,

CRL Signing (86)

Extended Key Usage c=no;

Server Authentication (1.3.6.1.5.5.7.3.1)

Client Authentication (1.3.6.1.5.5.7.3.2)

Code Signing (1.3.6.1.5.5.7.3.3)

Secure Email (1.3.6.1.5.5.7.3.4)

Time Stamping (1.3.6.1.5.5.7.3.8)

Certificate Policies c=no; Certificate Policies; {2.16.840.1.114412.1.3.0.4}

[1,1] Policy Qualifier Info:

Policy Qualifier Id=CPS

Qualifier: http://www.digicert.com/ssl-cps-repository.htm

[1,2]Policy Qualifier Info:

Policy Qualifier Id=User Notice

Qualifier:

Notice Text= Any use of this Certificate constitutes

acceptance of the DigiCert CP/CPS and the Relying Party Agreement

which limit liability and are incorporated herein by reference.

Basic Constraints c=yes; cA=True; path length constraint is absent

Authority Information Access

c=no; Access Method= - Id-ad-ocsp (On-line Certificate Status Protocol

- 1.3.6.1.5.5.7.48.1); URL =http://ocsp.digicert.com

CRL Distribution Points c = no;

CRL HTTP URL =http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl

CRL HTTP URL =http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl

3. DigiCert End Entity Certificates

a. DigiCert High Assurance EV CA-2 SSL End Entity (prior to 4/2/2007) and

DigiCert High Assurance CA-3 SSL End Entity (after 4/2/2007)

Field Value

Version V3 (2)

Serial Number Unique number

Issuer Signature Algorithm

sha-1WithRSAEncryption {1 2 840 113549 1 1 5}

Issuer Distinguished Name Unique X.500 CA DN.

CN = DigiCert High Assurance EV CA-2 or

CN = DigiCert High Assurance CA-3

OU = www.digicert.com

O = DigiCert Inc

C = US

Validity Period 1, 2 or 3 years expressed in UTC format

Subject Distinguished

Name

cn = <DNS Name of Website>

ou = <Organizational Unit of Subscriber>

o = <Full Legal Name of Subscriber>

l = <Locality of Subscriber>

s = <State of Subscriber>

c = <country of Subscriber>

Subject Public Key Info 1024/2048-bit RSA key modulus, rsaEncryption {1 2 840 113549 1 1 1}

Issuer’s Signature

sha-1WithRSAEncryption {1 2 840 113549 1 1 5}

Extension Value

Authority Key Identifier c=no;

92 4d 68 8e d9 b0 42 f1 c9 2c a2 ef b7 07 ad 57 92 cc 85 11 (CA-2)

50 ea 73 89 db 29 fb 10 8f 9e e5 01 20 d4 de 79 99 48 83 f7 (CA-3)

Subject Key Identifier c=no; Octet String – Same as calculated by CA from PKCS#10

Key Usage c=yes;

Digital Signature, Key Encipherment (a0)

Extended Key Usage c=no;

Server Authentication (1.3.6.1.5.5.7.3.1)

Client Authentication (1.3.6.1.5.5.7.3.2)

Certificate Policies c=no; Certificate Policies c=no; {2.16.840.1.114412.1.3.0.2}

[1,1] Policy Qualifier Info:

Policy Qualifier Id=CPS

Qualifier: http://www.digicert.com/ssl-cps-repository.htm

[1,2] Policy Qualifier Info:

Policy Qualifier Id=User Notice

Qualifier:

Notice Text= Any use of this Certificate constitutes acceptance

of the DigiCert CP/CPS and the Relying Party Agreement which limit

liability and are incorporated herein by reference.

Subject Alternative Name c=no; DNS = FQDN of Device (e.g., domain.com)

Authority Information

Access

c=no; Access Method= - Id-ad-ocsp (On-line Certificate Status Protocol -

1.3.6.1.5.5.7.48.1); URL =http://ocsp.digicert.com

CRL Distribution Points c = no;

CRL HTTP URL =

http://crl3.digicert.com/DigiCertHighAssuranceEVCA-2.crl

CRL HTTP URL =

http://crl4.digicert.com/DigiCertHighAssuranceEVCA-2.crl

CRL HTTP URL = http://crl3.digicert.com/DigiCertHighAssuranceCA-3.crl

CRL HTTP URL = http://crl4.digicert.com/DigiCertHighAssuranceCA-3.crl

- OR, if the certificate has a dedicated CRL file -

CRL HTTP URL = http://crl3.digicert.com/[SERIAL].crl

CRL HTTP URL = http://crl4.digicert.com/[SERIAL].crl

b. DigiCert Global CA-1 SSL End Entity

Field Value

Version V3 (2)

Serial Number Unique number

Issuer Signature Algorithm

sha-1WithRSAEncryption {1 2 840 113549 1 1 5}

Issuer Distinguished Name Unique X.500 CA DN.

CN = DigiCert Global CA-1

OU = www.digicert.com

O = DigiCert Inc

C = US

Validity Period 1, 2 or 3 years expressed in UTC format

Subject Distinguished Name cn = <DNS Name of Website>

ou = <Organizational Unit of Subscriber>

o = <Full Legal Name of Subscriber>

l = <Locality of Subscriber>

s = <State of Subscriber>

c = <country of Subscriber>

Subject Public Key Info 1024/2048-bit RSA key modulus, rsaEncryption {1 2 840 113549 1 1 1}

Issuer’s Signature

sha-1WithRSAEncryption {1 2 840 113549 1 1 5}

Extension Value

Authority Key Identifier c=no; 1e 1c 88 15 aa f2 46 d0 05 da e9 1e dc 22 bd a8 97 de 0f b2

Subject Key Identifier c=no; Octet String – Same as calculated by CA from PKCS#10

Key Usage c=yes;

Digital Signature, Key Encipherment (a0)

Extended Key Usage c=no;

Server Authentication (1.3.6.1.5.5.7.3.1)

Client Authentication (1.3.6.1.5.5.7.3.2)

Certificate Policies c=no; Certificate Policies c=no; {2.16.840.1.114412.1.3.0.3}

[1,1] Policy Qualifier Info:

Policy Qualifier Id=CPS

Qualifier: http://www.digicert.com/ssl-cps-repository.htm

[1,2] Policy Qualifier Info:

Policy Qualifier Id=User Notice

Qualifier:

Notice Text= Any use of this Certificate constitutes

acceptance of the DigiCert CP/CPS and the Relying Party Agreement

which limit liability and are incorporated herein by reference.

Subject Alternative Name c=no; DNS = FQDN of Device (e.g., domain.com)

Authority Information Access

c=no; Access Method= - Id-ad-ocsp (On-line Certificate Status Protocol

- 1.3.6.1.5.5.7.48.1); URL =http://ocsp.digicert.com

CRL Distribution Points c = no;

CRL HTTP URL = http://crl3.digicert.com/DigiCertGlobalCA-1.crl

CRL HTTP URL = http://crl4.digicert.com/DigiCertGlobalCA-1.crl

- OR, if the certificate has a dedicated CRL file -

CRL HTTP URL = http://crl3.digicert.com/[SERIAL].crl

CRL HTTP URL = http://crl4.digicert.com/[SERIAL].crl

c. DigiCert Assured ID CA-1 SSL End Entity

Field Value

Version V3 (2)

Serial Number Unique number

Issuer Signature Algorithm

sha-1WithRSAEncryption {1 2 840 113549 1 1 5}

Issuer Distinguished Name Unique X.500 CA DN.

CN = DigiCert Assured ID CA-1

OU = www.digicert.com

O = DigiCert Inc

C = US

Validity Period 1, 2 or 3 years expressed in UTC format

Subject Distinguished Name cn = <DNS Name of Website>

ou = <Organizational Unit of Subscriber>

o = <Full Legal Name of Subscriber>

l = <Locality of Subscriber>

s = <State of Subscriber>

c = <country of Subscriber>

Subject Public Key Info 1024/2048-bit RSA key modulus, rsaEncryption {1 2 840 113549 1 1 1}

Issuer’s Signature

sha-1WithRSAEncryption {1 2 840 113549 1 1 5}

Extension Value

Authority Key Identifier c=no; 15 00 12 2b 13 98 b2 99 07 ed 1e df a2 be 57 0d 2b 67 02 cd

Subject Key Identifier c=no; Octet String – Same as calculated by CA from PKCS#10

Key Usage c=yes; Digital Signature, Key Encipherment (a0)

Extended Key Usage c=no;

Server Authentication (1.3.6.1.5.5.7.3.1)

Client Authentication (1.3.6.1.5.5.7.3.2)

Certificate Policies c=no; Certificate Policies c=no; {2.16.840.1.114412.1.3.0.4}

[1,1] Policy Qualifier Info:

Policy Qualifier Id=CPS

Qualifier: http://www.digicert.com/ssl-cps-repository.htm

[1,2] Policy Qualifier Info:

Policy Qualifier Id=User Notice

Qualifier:

Notice Text= Any use of this Certificate constitutes

acceptance of the DigiCert CP/CPS and the Relying Party Agreement

which limit liability and are incorporated herein by reference.

Subject Alternative Name c=no; DNS = FQDN of Device (e.g., domain.com)

Authority Information Access

c=no; Access Method= - Id-ad-ocsp (On-line Certificate Status Protocol

- 1.3.6.1.5.5.7.48.1); URL =http://ocsp.digicert.com

CRL Distribution Points c = no;

CRL HTTP URL = http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl

CRL HTTP URL = http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl

- OR, if the certificate has a dedicated CRL file -

CRL HTTP URL = http://crl3.digicert.com/[SERIAL].crl

CRL HTTP URL = http://crl4.digicert.com/[SERIAL].crl

d. DigiCert High Assurance CA-3 Email Certificate

Field Value

Version V3 (2)

Serial Number Unique number

Issuer Signature Algorithm

sha-1WithRSAEncryption {1 2 840 113549 1 1 5}

Issuer Distinguished Name Unique X.500 CA DN.

CN = DigiCert High Assurance CA-3

OU = www.digicert.com

O = DigiCert Inc

C = US

Validity Period 1, 2 or 3 years expressed in UTC format

Subject Distinguished

Name

e = <RFC822 email address>

cn = <Name>

ou = Identity Not Verified

ou = Secure Email Provided by DigiCert

o = < Organization> (Enterprise Email Certificates)

l = <Locality of Subscriber>

s = <State of Subscriber>

c = <country of Subscriber>

Subject Public Key Info 1024/2048-bit RSA key modulus, rsaEncryption {1 2 840 113549 1 1 1}

Issuer’s Signature

sha-1WithRSAEncryption {1 2 840 113549 1 1 5}

Extension Value

Authority Key Identifier c=no; 50 ea 73 89 db 29 fb 10 8f 9e e5 01 20 d4 de 79 99 48 83 f7

Subject Key Identifier c=no; Octet String – Same as calculated by CA from PKCS#10

Key Usage c=yes;

Digital Signature, Key Encipherment, (a0)

Extended Key Usage c=no;

Client Authentication (1.3.6.1.5.5.7.3.2)

Secure Email (1.3.6.1.5.5.7.3.4)

Certificate Policies c=no; Certificate Policies c=no; {2.16.840.1.114412.1.3.0.2}

[1,1] Policy Qualifier Info:

Policy Qualifier Id=CPS

Qualifier: http://www.digicert.com/ssl-cps-repository.htm

[1,2] Policy Qualifier Info:

Policy Qualifier Id=User Notice

Qualifier:

Notice Text= Any use of this Certificate constitutes acceptance

of the DigiCert CP/CPS and the Relying Party Agreement which limit

liability and are incorporated herein by reference.

Subject Alternative Name c=no; <RFC822 email address>

Authority Information

Access

c=no; Access Method= - Id-ad-ocsp (On-line Certificate Status Protocol -

1.3.6.1.5.5.7.48.1); URL =http://ocsp.digicert.com

CRL Distribution Points c = no;

CRL HTTP URL = http://crl3.digicert.com/DigiCertHighAssuranceCA-3.crl

CRL HTTP URL = http://crl4.digicert.com/DigiCertHighAssuranceCA-3.crl

4. DigiCert's Entrust-issued Intermediate CA Certificates

a. DigiCert Global CA signed with Entrust 1024-bit key (two versions)

Field Value (issued 2/17/2009) Value (issued 7/14/2006)

Version V3 (2)

Serial Number 46 9e 79 5d 42 86 ab a0

Issuer Signature Algorithm

sha-1WithRSAEncryption {1 2 840 113549 1 1 5}

Issuer Distinguished Name Unique X.500 CA DN.

CN = Entrust.net Secure Server Certification Authority

OU = www.entrust.net/Certificate Policy incorp. by ref. (limits

liab.)

O = Entrust.net

C = US

Validity Period 2/17/2009 – 1/17/2012 7/14/2006 – 7/14/2014

Subject Distinguished Name CN = DigiCert Global CA

OU = www.digicert.com

O = DigiCert Inc

C = US

Subject Public Key Info 2048 bit RSA key modulus, rsaEncryption {1 2 840 113549 1 1 1}

Extension Value

Authority Key Identifier c=no; f0 17 62 13 55 3d b3 ff 0a 00 6b fb 50 84 97 f3 ed 62 d0 1a

Subject Key Identifier c=no; a7 c7 13 a0 7a 01 3c 9d ef 82 48 82 48 d5 73 51 b6 12 56 2a

Key Usage c=yes;

Certificate Signing , Off-line CRL Signing , CRL Signing (06)

Extended Key Usage c=no;

Server Authentication

(1.3.6.1.5.5.7.3.1)

Client Authentication

(1.3.6.1.5.5.7.3.2)

Secure Email (1.3.6.1.5.5.7.3.4)

c=no;

Server Authentication

(1.3.6.1.5.5.7.3.1)

Client Authentication

(1.3.6.1.5.5.7.3.2)

Secure Email (1.3.6.1.5.5.7.3.4)

OCSP Signing

(1.3.6.1.5.5.7.3.9)

Certificate Policies

Policy Identifier=

All issuance

policies

CPS Qualifier=

http://www.digicert.com/ssl-cps-

repository.htm

Policy Identifier=

1.2.840.113533.7.75.2

CPS Qualifier=

http://www.entrust.net/cps

User Notice = For use solely

with SSL and S/MIME

certificates issued by Digicert,

Inc. to authorized subscribers.

DOES NOT represent any

endorsement by Entrust Inc. or

its affiliates as to the identity of

any certificate holder.

Entrust Version Extension

(1.2.840.113533.7.65.0)

v. 7.1

Basic Constraints c=yes; cA=True; path length constraint = 0

Authority Information Access OCSP (1.3.6.1.5.5.7.48.1)

URL=http://ocsp.entrust.net

None present

CRL Distribution Points

http://crl.entrust.net/server1.crl http://crl.entrust.net/server1.crl

Directory Address:

CN=CRL1

CN=Entrust.net Secure Server

Certification Authority

OU=www.entrust.net/CPS

incorp. by ref. (limits liab.)

O=Entrust.net

C=US

b. DigiCert Global CA signed with Entrust 2048-bit key

Field Value

Version V3 (2)

Serial Number 38 63 cb 4a

Issuer Signature Algorithm

sha-1WithRSAEncryption {1 2 840 113549 1 1 5}

Issuer Distinguished Name Unique X.500 CA DN.

CN = Entrust.net Certification Authority (2048)

OU = www.entrust.net/CPS_2048 incorp. by ref. (limits liab.)

O = Entrust.net

Validity Period 11/7/2008 – 6/30/2014

Subject Distinguished Name CN = DigiCert Global CA (2048)

OU = www.digicert.com

O = DigiCert Inc

C = US

Subject Public Key Info 2048 bit RSA key modulus, rsaEncryption {1 2 840 113549 1 1 1}

Extension Value

Authority Key Identifier c=no; 55 e4 81 d1 11 80 be d8 89 b9 08 a3 31 f9 a1 24 09 16 b9 70

Subject Key Identifier c=no; 43 49 47 e7 cf 40 d1 9a a8 92 f2 8c 8a ca 98 93 cf c9 08 0f

Key Usage c=yes;

Certificate Signing , Off-line CRL Signing , CRL Signing (06)

Extended Key Usage c=no;

Server Authentication (1.3.6.1.5.5.7.3.1)

Client Authentication (1.3.6.1.5.5.7.3.2)

Secure Email (1.3.6.1.5.5.7.3.4)

Certificate Policies Policy Identifier= All issuance policies

Entrust Version Extension

(1.2.840.113533.7.65.0)

v. 7.1

Basic Constraints c=yes; cA=True; path length constraint = 0

Authority Information Access OCSP (1.3.6.1.5.5.7.48.1) URL=http://ocsp.entrust.net

CRL Distribution Points

http://crl.entrust.net/2048ca.crl

c. DigiCert Global CA End Entity

Field Value

Version V3 (2)

Serial Number Unique number

Issuer Signature Algorithm

sha-1WithRSAEncryption {1 2 840 113549 1 1 5}

Issuer Distinguished Name Unique X.500 CA DN.

CN = DigiCert Global CA

OU = www.digicert.com

O = DigiCert Inc

C = US

Validity Period 1, 2 or 3 years expressed in UTC format

Subject Distinguished Name cn = <Name of Website or Domain>

ou = <Organizational Unit of Subscriber>

o = <Full Legal Name of Subscriber>

l = <Locality of Subscriber>

s = <State of Subscriber>

c = <country of Subscriber>

Subject Public Key Info

1024 or 2048-bit RSA key modulus, rsaEncryption {1 2 840 113549

1 1 1}

Issuer’s Signature

sha-1WithRSAEncryption {1 2 840 113549 1 1 5}

Extension Value

Authority Key Identifier c=no; a7 c7 13 a0 7a 01 3c 9d ef 82 48 82 48 d5 73 51 b6 12 56 2a

Subject Key Identifier c=no; Octet String – Same as calculated by CA from PKCS#10

Key Usage c=yes; Digital Signature, Key Encipherment (a0)

Extended Key Usage c=no;

Server Authentication (1.3.6.1.5.5.7.3.1)

Client Authentication (1.3.6.1.5.5.7.3.2)

Certificate Policies c=no; Certificate Policies; {2.16.840.1.114412.1.3.0.1}

[1,1] Policy Qualifier Info:

Policy Qualifier Id=CPS

Qualifier: http://www.digicert.com/ssl-cps-repository.htm

[1,2] Policy Qualifier Info:

Policy Qualifier Id=User Notice

Qualifier:

Notice Text= Any use of this Certificate constitutes

acceptance of the DigiCert CP/CPS and the Relying Party

Agreement which limit liability and are incorporated herein by

reference.

Subject Alternative Name c=no; Name of Device1 (e.g., domain.com)

Name of Device2, etc.

Authority Information Access

c=no; Access Method= - Id-ad-ocsp (On-line Certificate Status

Protocol - 1.3.6.1.5.5.7.48.1); URL =http://ocsp.digicert.com

CRL Distribution Points c = no;

CRL HTTP URL = http://crl3.digicert.com/DigiCertGlobalCA.crl

CRL HTTP URL = http://crl4.digicert.com/DigiCertGlobalCA.crl

- OR, if the certificate has a dedicated CRL file -

CRL HTTP URL = http://crl3.digicert.com/[SERIAL].crl

CRL HTTP URL = http://crl4.digicert.com/[SERIAL].crl

d. DigiCert Global CA End Entity Unified Communications Certificates

Field Value

Version V3 (2)

Serial Number Unique number

Issuer Signature Algorithm

sha-1WithRSAEncryption {1 2 840 113549 1 1 5}

Issuer Distinguished Name Unique X.500 CA DN.

CN = DigiCert Global CA

OU = www.digicert.com

O = DigiCert Inc

C = US

Validity Period 1, 2 or 3 years expressed in UTC format

Subject Distinguished Name cn = <Name of Website or Domain>

ou = <Organizational Unit of Subscriber>

o = <Full Legal Name of Subscriber>

l = <Locality of Subscriber>

s = <State of Subscriber>

c = <country of Subscriber>

Subject Public Key Info

1024 or 2048-bit RSA key modulus, rsaEncryption {1 2 840 113549

1 1 1}

Issuer’s Signature

sha-1WithRSAEncryption {1 2 840 113549 1 1 5}

Extension Value

Authority Key Identifier c=no; a7 c7 13 a0 7a 01 3c 9d ef 82 48 82 48 d5 73 51 b6 12 56 2a

Subject Key Identifier c=no; Octet String – Same as calculated by CA from PKCS#10

Key Usage c=yes; Digital Signature, Key Encipherment (a0)

Extended Key Usage c=no;

Server Authentication (1.3.6.1.5.5.7.3.1)

Client Authentication (1.3.6.1.5.5.7.3.2)

Certificate Policies c=no; Certificate Policies; {2.16.840.1.114412.1.3.0.1}

[1,1] Policy Qualifier Info:

Policy Qualifier Id=CPS

Qualifier: http://www.digicert.com/ssl-cps-repository.htm

[1,2] Policy Qualifier Info:

Policy Qualifier Id=User Notice

Qualifier:

Notice Text= Any use of this Certificate constitutes

acceptance of the DigiCert CP/CPS and the Relying Party

Agreement which limit liability and are incorporated herein by

reference.

Subject Alternative Name c=no;

Name of Device1

Name of Device2

Name of Device3

Name of Device4

Name of Device5

Name of Device6

Name of Device7

Etc.

Authority Information Access

c=no; Access Method= - Id-ad-ocsp (On-line Certificate Status

Protocol - 1.3.6.1.5.5.7.48.1); URL =http://ocsp.digicert.com

CRL Distribution Points c = no;

CRL HTTP URL = http://crl3.digicert.com/DigiCertGlobalCA.crl

CRL HTTP URL = http://crl4.digicert.com/DigiCertGlobalCA.crl

- OR, if the certificate has a dedicated CRL file -

CRL HTTP URL = http://crl3.digicert.com/[SERIAL].crl

CRL HTTP URL = http://crl4.digicert.com/[SERIAL].crl