1. Introduction
This Certification Practice Statement ("CPS") document outlines the certification services practices for this particular instance running the LabCA software. PKI (Public Key Infrastructure) services include, but are not limited to, issuing, managing, validating, revoking, and renewing Certificates. The services are provided for HZCD.XYZ internal use only.
The following Certification Authorities are covered under this CPS:
| CA Type | Distinguished Name | SHA-256 Key Fingerprint | Validity Period |
|---|---|---|---|
| Root CA | subject=C = CN, O = HZCD.XYZ, OU = TECH, CN = HZCD.XYZ Root CA | A9:ED:E1:43:BF:A0:2F: 1A:E6:34:6E:11:EA:8D: AD:C6:EE:E8:10:F4 | Not Before: Mar 24 15:17:51 2022 GMT Not After: Mar 21 15:17:51 2032 GMT |
Certificates issued by this PKI can be used only to establish secure online communication between hosts (as identified by the FQDN provided in the Certificate) and clients using the TLS protocol. A Certificate only represents that the information contained in it was verified as reasonably correct when the Certificate was issued.
Certificates may not be used for any application requiring fail-safe performance, providing financial services, facilitating interference with encrypted communications or violating laws or regulations.
Relying Parties should verify the validity of certificates via CRL or OCSP prior to relying on certificates. CRL and OCSP location information is provided within certificates.
2. Publication and Repository
This CPS is published at http://ca.hzcd.xyz/cps/
Records of root and intermediate certificates, including those that have been revoked, are available at http://ca.hzcd.xyz/certs/
LabCA certificates contain URLs to locations where certificate-related information is published, including revocation information via OCSP and/or CRLs.
3. Identification and Authentication
LabCA certificates include a "Subject" field which identifies the subject entity (i.e. organization or domain). The subject entity is identified using a distinguished name.
LabCA certificates include an "Issuer" field which identifies the issuing entity. The issuing entity is identified using a distinguished name.
4. Certificate Life-Cycle Operational Requirements
Anyone associated with HZCD.XYZ may submit an application for a certificate via the ACME protocol. Issuance will depend on proper validation and compliance with this PKI's policies. End-entity certificates are made available to Subscribers via the ACME protocol as soon after issuance as reasonably possible.
Subscribers are obligated to generate Key Pairs using reasonably trustworthy systems and to take reasonable measures to protect their Private Keys from unauthorized use or disclosure.
Relying Parties must fully evaluate the context in which they are relying on certificates and the information contained in them, and decide to what extent the risk of reliance is acceptable. If the risk of relying on a certificate is determined to be unacceptable, then Relying Parties should not use the certificate or should obtain additional assurances before using the certificate.
Relying Parties ignoring certificate expiration, revocation data provided via OCSP or CRL, or other pertinent information do so at their own risk.
Certificate revocation permanently ends the certificate's operational period prior to its stated validity period.
5. Facilities, Management, and Operational Controls
Operating this PKI is under full responsibility of HZCD.XYZ.
6. Technical Security Controls
LabCA is not using a Hardware Security Module (HSM) for storing CA private keys. LabCA is intended to be used in a lab or intranet environment with sufficient protection against bad actors. It may not be used as publicly accessible PKI instance.
7. Certificate, CRL, and OCSP Profile
Any requirements or policies regarding Certificates, CRLs and OCSP are at full discretion of HZCD.XYZ.
8. Compliance audit
Not applicable.
9. Other Business and Legal Matters
LabCA CERTIFICATES AND SERVICES ARE PROVIDED "AS-IS". LabCA DISCLAIMS ANY AND ALL WARRANTIES OF ANY TYPE AND DOES NOT ACCEPT ANY LIABILITY.
EACH USER AFFIRMATIVELY AND EXPRESSLY WAIVES THE RIGHT TO HOLD LabCA RESPONSIBLE IN ANY WAY.