Certificate Policy

1. Introduction

1.1 Overview

This Certificate Policy (CP) defines the policies and procedures governing the issuance, management, and revocation of digital certificates by Continuum Trust Services, a public Certificate Authority operated by Continuum Systems.

1.2 Document Name and Identification

1.3 PKI Participants

• Certificate Authority (CA): Continuum Trust Services
• Registration Authority (RA): Continuum Systems validation team
• Subscribers: Approved organizations and individuals
• Relying Parties: Entities that rely on certificates for authentication

2. Publication and Repository Responsibilities

2.1 Repositories

Continuum Trust Services maintains publicly accessible repositories containing:

• Root CA certificate
• Intermediate/Issuing CA certificates
• Certificate Revocation Lists (CRLs)
• This Certificate Policy (CP)
• Certification Practice Statement (CPS)

2.2 Publication of Certificate Information

CA certificates and policy documents are published at the Continuum Systems website. CRL and OCSP endpoints are provided for certificate status verification.

3. Identification and Authentication

3.1 Naming

All certificates contain a Distinguished Name (DN) that uniquely identifies the subject. The DN must accurately represent the subscriber's identity as verified during the registration process.

3.2 Initial Identity Validation

Continuum Trust Services performs the following validation procedures:

• Domain control validation for TLS certificates
• Organization identity verification through official documentation
• Individual identity verification for client certificates
• Authorization verification for certificate requesters

3.3 Authentication for Re-key and Renewal

Re-key and renewal requests require re-authentication of the subscriber's identity and domain control where applicable.

4. Certificate Lifecycle Operational Requirements

4.1 Certificate Application

Certificate applications must be submitted through approved channels with complete and accurate information. Continuum Trust Services does not accept anonymous or automated certificate requests.

4.2 Certificate Issuance

Certificates are issued only after successful completion of all validation procedures. Issuance decisions are made by authorized personnel following documented procedures.

4.3 Certificate Acceptance

Subscribers are deemed to have accepted a certificate upon downloading or using it. Subscribers must verify certificate contents and report any discrepancies immediately.

4.4 Certificate Revocation

Certificates may be revoked under the following circumstances:

• Key compromise or suspected compromise
• Subscriber request
• Inaccurate or misleading certificate information
• Violation of the Subscriber Agreement
• CA policy changes requiring revocation
• Cessation of operations

5. Management, Operational, and Physical Controls

5.1 Physical Security Controls

• CA systems are housed in secure, access-controlled facilities
• Multi-factor authentication required for physical access
• 24/7 monitoring and surveillance
• Environmental controls for temperature, humidity, and fire suppression

5.2 Procedural Controls

• Trusted roles with separation of duties
• Background checks for CA personnel
• Documented procedures for all critical operations
• Dual control for sensitive operations

5.3 Personnel Security Controls

All personnel with access to CA systems undergo background verification and security training. Access rights are reviewed and updated regularly.

6. Technical Security Controls

6.1 Key Pair Generation and Installation

• CA keys are generated in FIPS 140-2 Level 3 validated hardware security modules (HSM)
• Key generation ceremonies are witnessed and documented
• Multi-party control for CA key activation

6.2 Private Key Protection

• CA private keys never exist outside of HSMs in plaintext
• HSM backup and recovery procedures are documented
• Key escrow is not performed for CA keys

6.3 Cryptographic Standards

7. Certificate Profiles

7.1 Certificate Types

• TLS Server Certificates: Domain-validated and organization-validated
• TLS Client Certificates: Individual and device authentication
• Code Signing Certificates: Software and firmware signing
• Infrastructure Certificates: API, service mesh, and control plane

7.2 Certificate Validity Periods

8. Compliance and Audit

8.1 Compliance

Continuum Trust Services operates in compliance with applicable laws and regulations. The CA maintains compliance with industry standards including applicable portions of the CA/Browser Forum Baseline Requirements.

8.2 Audit

The CA undergoes regular internal and external audits to ensure compliance with this CP and the CPS. Audit results are reviewed by management and any findings are addressed promptly.

9. Legal Provisions

9.1 Liability

Continuum Trust Services liability is limited as specified in subscriber agreements and relying party agreements. The CA shall not be liable for damages arising from improper use of certificates.

9.2 Governing Law

This CP is governed by applicable laws. Disputes shall be resolved through arbitration or in courts of competent jurisdiction.