This page sets out the requirements for Certification Authorities (CAs) who participate in the Microsoft Trusted Root Certificate Program ("Program") along with the requirements to use each of the EKUs that Microsoft currently supports as part of the Microsoft Trusted Root Certificate Program.

Below you will find the requirements for both Commercial CAs and Government CAs along with information about what constitutes a Government CA. (See "Definitions", below). Additionally, you will find information about how the requirements are changing for Government CAs.

 

 


Short URL

Bookmark: http://aka.ms/auditreqs

 


1. General Requirements

Microsoft requires that every CA submit evidence of a Qualifying Audit on an annual basis for the CA and any non-limited root within its PKI chain. A Qualifying Audit must meet the following five main requirements:

  1. (A) the auditor must be qualified,
  2. (B) the audit must be performed using the proper scope,
  3. (C) the audit must be performed using the proper standard, and
  4. (D) the audit must be performed and the attestation letter must be issued within the proper time period, and
  5. the auditor must complete and submit a Qualifying Attestation.

It is the responsibility of the CA to provide Microsoft with a Qualifying Attestation to the results of the audit as well as conformance to the Audit Requirements in a timely manner.

 

A. The Auditor's Qualifications

Microsoft considers an auditor to be a Qualified Auditor if s/he is an independent individual or company that is certified to perform certification authority audits by one of these three authorities: (1) WebTrust, (2) an ETSI Equivalent National Authority (published at http://aka.ms/ena) or, (3) in the case of a Government CA, the government itself. (For more information on Government CAs, see " Government CA Requirements" below.)

If a CA chooses to obtain a WebTrust audit, Microsoft requires the CA to retain a WebTrust licensed auditor to perform the audit. The full list of WebTrust-licensed auditors is available at http://aka.ms/webtrustauditors. If a CA chooses to obtain an ETSI-based audit, Microsoft requires the CA to retain an authorized entity by an Equivalent National Authority (or "ENAs"). A catalogue of acceptable ENAs is based on the list at http://aka.ms/ena. If a CA is operated in a country that does not have an ETSI Equivalent National Authority, Microsoft will accept an audit performed by an auditor that is qualified under an Equivalent National Authority in the auditor's home country.

 

B. The Scope of the Audit

The scope of the audit must include all roots, non-limited sub-roots, and cross-signed non-enrolled roots, under the root, except for sub-roots that are limited to a verified domain. The audit must also document the full PKI hierarchy. The final audit statements must be in a publicly-accessible location and must contain the start and end dates of the audit period. In the case of a WebTrust audit, WebTrust seal(s) must also be in a publicly-accessible location.

 

C. Point-in-Time Readiness Assessments

Microsoft requires an audit prior to commencing commercial operations. For commercial CAs that have not been operational as an issuer of certificates for 90 days or more, Microsoft will accept a point-in-time readiness audit conducted by a Qualified Auditor. If the CA uses a point-in-time readiness audit, Microsoft requires a follow-up audit within 90 days after the CA issues its first certificate.

 

D. The Time Period Between the Assessment and the Auditor's Attestation

Microsoft requires that the CA obtain a conforming audit annually. To ensure that Microsoft has information that accurately reflects the current business practices of the CA, the attestation letter arising from the audit must be dated and received by Microsoft not more than 3 months from the ending date specified in the attestation letter.

 

E. Audit Attestation

Microsoft requires that each auditor complete and submit to Microsoft a Qualifying Attestation. A Qualifying Attestation requires that the auditor completes both a Qualifying Attestation Letter and the Qualifying Attestation Cover Letter.

A Qualifying Attestation Letter is a letter that conforms to the following requirements:

1.  The letter clearly identifies the company being audited,

2.  the auditing company performing the audit,

3.  which root(s) were audited,

4.  which Audit Standard was used to audit each of the roots respectively,

5.  the date and/or date range of the audit period.*

6. an attestation that the audit was a full audit.

*Acceptable audit date/date ranges vary based upon the type of audit performed and can be found on the Qualifying Attestation Cover Letter.

 


2. Conventional CA Audit Standards

The Program accepts two types of audit standards: WebTrust and ETSI. For each of the EKUs on the left, Microsoft requires an audit that conforms to the standard marked.

A. WebTrust Audits

 

WebTrust Principles and Criteria for Certification Authorities - WebTrust for CAs 2.0

WebTrust Principles and Criteria for Certification Authorities - SSL Baseline with Network Security - Version 2

WebTrust Principles and Criteria for Certification Authorities - Extended Validation SSL - Version 1.4.5

WebTrust Principles and Criteria for Certification Authorities - Extended Validation Code Signing

Server Authentication (non-EV)

X

X









Server Authentication (non-EV) and Client Authentication only

X

X









Server Authentication (EV)

X

X

X





Server Authentication (EV) and Client Authentication only

X

X

X





EV Code Signing

X









X

Non-EV Code Signing and Time stamping

X













Secured Email (S/MIME)

X













Client Authentication (without Server Authentication)

X













Document Signing

X













 

B. ETSI-Based Audits

Note 1: If a CA uses an ETSI-based audit, it must perform a full audit annually, and Microsoft will not accept surveillance audits.

 

ETSI TS 102 042 V2.4.1 or later (DVCP, OVCP or PTC-BR policies) - Electronic Signatures and Infrastructures (ESI); Policy requirements for certification authorities issuing public key certificates

ETSI TS 102 042 V2.4.1 or later (EVCP or EVCP+ policies) - Electronic Signatures and Infrastructures (ESI); Policy requirements for certification authorities issuing public key certificates

ETSI TS 102 042 V2.4.1 or later (EVCG policy) - Electronic Signatures and Infrastructures (ESI); Policy requirements for certification authorities issuing public key certificates

ETSI TS 102 042 V2.4.1 or later (LCP, NCP, NCP+ policies) - Electronic Signatures and Infrastructures (ESI); Policy requirements for certification authorities issuing public key certificates

ETSI TS 101 456 V1.4.3 or later - Electronic Signatures and Infrastructure (ESI); Policy requirements for certification authorities issuing qualified certificates

Server Authentication (non-EV)

X

















Server Authentication (non-EV) and Client Authentication only

X

















Server Authentication (EV)





X













Server Authentication (EV) and Client Authentication only


X













EV Code Signing









X









Non-EV Code Signing and Time stamping

X









X

X

Secured Email (S/MIME)

X









X

X

Client Authentication (without Server Authentication)

X









X

X

Document Signing

X









X

X

Effective on the next audit period and as required by ETSI, the following audit scheme replaces the prior 102 audit schemes.

  EN 319 411-1 V1.1.1 or later (DVCP, OVCP or PTC-BR policies) - Electronic Signatures and Infrastructures (ESI); Policy and security requirements for Trust Service Providers issuing certificates; PART 1: General requirements EN 319 411-1 V1.1.1 or later or later (EVCP or EVCP+ policies) - Electronic Signatures and Infrastructures (ESI); Policy and security requirements for Trust Service Providers issuing certificates; PART 1: General requirements EN 319 411-1 V1.1.1 or later or later (EVCG policy) - Electronic Signatures and Infrastructures (ESI); Policy and security requirements for Trust Service Providers issuing certificates; PART 1: General requirements EN 319 411-1 V1.1.1 or later (LCP, NCP, NCP+ policies) -  Electronic Signatures and Infrastructures (ESI); Policy and security requirements for Trust Service Providers issuing certificates; PART 1: General requirements EN 319 411-2 V2.1.1 or later - Electronic Signatures and Infrastructure (ESI); Policy and security requirements for Trust Service Providers issuing certificates; Part 2 : Requirements for trust service providers issuing EU qualified certificates
Server Authentication (non-EV) X



Server Authentication (non-EV) and Client Authentication only X



Server Authentication (EV)
X


Server Authentication (EV) and Client Authentication only
X


EV Code Signing

X

Non-EV Code Signing and Time stamping X

X X
Secured Email (S/MIME) X

X X
Client Authentication (without Server Authentication) X

X X
Document Signing X

X X

 


3. Government CA Requirements

Effective July 1, 2015, Government CAs may choose to either obtain the above WebTrust or ETSI-based audit(s) required of Commercial CAs, or to use an Equivalent Audit. If a Government CA chooses to obtain a WebTrust or ETSI-based audit, Microsoft will treat the Government CA as a Commercial CA. The Government CA can then operate without limiting the certificates it issues.

A. Equivalent Audit Restrictions

If the Government CA chooses not to use a WebTrust or ETSI audit, it may obtain an Equivalent Audit. In an Equivalent Audit ("EA"), the Government CA selects a third party to perform an audit. The audit has two purposes: (1) to demonstrate that the Government CA complies with local laws and regulations related to certificate authority operation, and (2) to demonstrate that the audit substantially complies with the relevant WebTrust or ETSI standard.

If a Government CA chooses to obtain an EA, Microsoft will limit the scope of certificates that the Government CA may issue. Government CAs that issue server authentication certificates must limit the root to government-controlled domains. Governments must limit the issuance of any other certificates to ISO3166 country codes that the country has sovereign control over.

Government CAs must also accept and adopt the appropriate, CAB forum baseline requirements for CAs based on the type of certificates the root issues. However, the Program Requirements and Audit Requirements supersede those requirements in any aspect in which they are in conflict.

Effective June 1, 2015, all Government CAs entering the Program will be subject to the above EA requirements. All Government CAs that are part of the Program prior to June 1, 2015 will be subject to the above EA requirements immediately upon expiration of their then-current audit.

 

B. Content of the Equivalent Audit Report

Microsoft requires all Government CAs that submit an EA to provide an attestation letter from the auditor that:

  1. Attests that the audit is issued by an independent agency which is authorized by the Government CA's government to conduct the audit;
  2. Lists the Government CA's government's criteria for auditor qualification, and certifies that the auditor meets this criteria;
  3. Lists the particular statutes, rules, and/or regulations that the auditor assessed the Government CA's operations against;
  4. Certifies the Government CA's compliance with the requirements outlined in the named governing statutes, rules, and/or regulations;
  5. Provides information that describes how the statute's requirements are equivalent to the appropriate WebTrust or ETSI audit(s) ;
  6. Lists Certificate Authorities and third parties authorized by the Government CA to issue certificates on the Government CA's behalf within a certificate chain;
  7. Documents the full PKI hierarchy; and
  8. Provides the start and end date of the audit period.

 


5. Definitions

Government CA

A “Government CA” is an entity that signs the Government Program Agreement.

 

Commercial CA

A “Commercial CA” is an entity that signs the Commercial Program Agreement.

 

Certification Authority

"Certification Authority" or "CA" means an entity that issues digital certificates in accordance with Local Laws and Regulations.

 

Local Laws and Regulations

"Local Laws and Regulations" means the laws and regulations applicable to a CA under which the CA is authorized to issue digital certificates, which set forth the applicable policies, rules, and standards for issuing, maintaining, or revoking certificates, including audit frequency and procedure.

 


6. Related