Date post: | 11-May-2023 |
Category: |
Documents |
Upload: | khangminh22 |
View: | 0 times |
Download: | 0 times |
Certification Practice Statement Siemens Issuing CAs
2/25/2022 CT CYS © Siemens AG 2021 Ingenuity for life
Unrestricted / CC BY-SA4.0
Siemens Issuing CA Certification Practice Statement
© Siemens AG 2022 Unrestricted / CC BY-SA4.0 Page 2 / 40
Document History
Version Date Author Change Comment
1.0 June 10, 2016 Alexander Winnen,
Michael Munzert First version
1.1 December 1, 2016 Rufus Buschart Minor updated version
1.2 May 26, 2017 Rufus Buschart Update Issuing CAs 2017
1.3 July 31, 2017 Björn Hundertmarck Update with chapter for Certificate Authority
Authorization (CAA)
1.4 December 1, 2017 Florian Grotz Revised Certificate Authority Authorization (CAA)
1.5 January 12, 2018 Rufus Buschart
Chapter „Document History“ Added changed after
ballots
Chapter 2.2 Link to https://catestsite.siemens.com/
added
Chapter 4.9.1 Revocation reasons added
Chapter 4.9.2 Who can request a revocation added
Chapter 5 Moved to CP
1.6 January 31, 2018 Rufus Buschart
Chapter 3.2.2 Restructured
Chapter 6.3.2 Server certificates clarified
Chapter 6.5.1 2FA added
1.7 February 23, 2018 Rufus Buschart License changed to CC BY-SA4.0 as required by Mozilla
1.8 March 16, 2018 Rufus Buschart Chapter 1.1 Clarification of Issuing CA list
Chapter 3.2.2.3 Additional validation methods
1.9 December 21, 2018 Rufus Buschart Chapter 4.9.1 Updated to new requirements from
BRGs
1.10 February 22, 2019 Rufus Buschart All chapter No stipulations removed
1.11 February 10, 2020 Rufus Buschart
Chapter 1.1 Expired ICAs removed
Chapter 3.2.2.3 Stop Issuance of TLS documented
Minor changes
1.12 February 17, 2020 Rufus Buschart
Chapter 1.1 Added 2020 hierarchy
Chapter 3.2.2.1 Removal of TLS domain validation
Minor changes
1.13 July 29 , 2021 Mauricio Fernandez Minor changes Chapter 7
1.14 February 17, 2022 Rufus Buschart Minor corrections
This document will be reviewed every year or in the event of an important ad-hoc change according to the Information Security update process for documents. Changes to the CA/B Baseline Requirements will be reflected after passing of the respective ballot into this document. Each new version will be approved by the respective management level before being released.
This document is published under www.siemens.com/pki.
Scope and Applicability This document constitutes the Certification Practice Statement (CPS) for the Siemens Issuing Certification Authorities (Issuing CAs). The purpose of this document is to publicly disclose to subscribers and relying parties the business policies and practices under which these Issuing CAs are operated.
Document Status
This document with version 1.14 and status Released has been classified as “Unrestricted“ and is licensed as CC BY-SA4.0.
Siemens Issuing CA Certification Practice Statement
© Siemens AG 2022 Unrestricted / CC BY-SA4.0 Page 3 / 40
Name Department Date
Author Various authors, detailed
information in document
history
Checked by Tobias Lange
Florian Grotz
Siemens LS
Siemens GS IT HR 7 4
June 10, 2016
February 20, 2019
Authorization Markus Wichmann Siemens CYS February 17, 2022
This CPS has been approved by the responsible Siemens information security officer on July 25, 2021.
Siemens Issuing CA Certification Practice Statement
© Siemens AG 2022 Unrestricted / CC BY-SA4.0 Page 4 / 40
Table of Content
Scope and Applicability ............................................................................................ 2
Document Status ....................................................................................................... 2
1 Introduction.................................................................................................. 9
1.1 Overview ...................................................................................................................................................... 9
1.2 Document Name and Identification ............................................................................................................... 10
1.3 PKI Participants ........................................................................................................................................... 10
1.3.1 Certification Authorities ...................................................................................................................... 10
1.3.2 Registration Authorities ....................................................................................................................... 10
1.3.3 Subscribers ......................................................................................................................................... 10
1.3.4 Relying Parties .................................................................................................................................... 10
1.3.5 Other participants ............................................................................................................................... 10
1.4 Certificate Usage ......................................................................................................................................... 11
1.4.1 Appropriate Certificate Usage .............................................................................................................. 11
1.4.2 Prohibited Certificate Usage ................................................................................................................. 11
1.5 Policy Administration ................................................................................................................................... 11
1.5.1 Organization Administering the Document ........................................................................................... 11
1.5.2 Contact Person ................................................................................................................................... 11
2 Publication and Repository Responsibilities ............................................... 12
2.1 Repositories ................................................................................................................................................ 12
2.2 Publication of Certification Information ......................................................................................................... 12
2.3 Time or Frequency of Publication .................................................................................................................. 12
2.4 Access Controls on Repositories .................................................................................................................... 12
3 Identification and Authentication .............................................................. 13
3.1 Naming ...................................................................................................................................................... 13
3.1.1 Types of Names .................................................................................................................................. 13
3.1.2 Need of Names to be Meaningful ......................................................................................................... 13
3.1.3 Anonymity or Pseudonymity of Subscribers ........................................................................................... 13
3.1.4 Rules for Interpreting Various Name Forms ........................................................................................... 13
3.1.5 Uniqueness of Names .......................................................................................................................... 13
3.1.6 Recognition, Authentication, and Roles of Trademarks ........................................................................... 13
3.2 Initial Identity Validation .............................................................................................................................. 14
3.2.1 Method to Prove Possession of Private Key ............................................................................................ 14
3.2.2 Identification and Authentication of Organization Identity ..................................................................... 14
3.2.3 Identification and Authentication of Individual Identity .......................................................................... 15
3.2.4 Non-verified Subscriber Information ..................................................................................................... 15
3.2.5 Validation of Authority ........................................................................................................................ 15
3.2.6 Criteria for Interoperation between Communities of Trusts ..................................................................... 15
3.3 Identification and Authentication for Re-key Requests .................................................................................... 15
3.4 Identification and Authentication for Revocation Requests .............................................................................. 15
Siemens Issuing CA Certification Practice Statement
© Siemens AG 2022 Unrestricted / CC BY-SA4.0 Page 5 / 40
4 Certificate Lifecycle Operational Requirements ......................................... 16
4.1 Certificate Application ................................................................................................................................. 16
4.1.1 Who can submit a certificate application? ............................................................................................. 16
4.1.2 Enrollment Process and Responsibilities ................................................................................................ 16
4.2 Certificate Application Processing ................................................................................................................. 17
4.2.1 Performing identification and authentication functions ......................................................................... 17
4.2.2 Approval or Rejection of Certificate Applications ................................................................................... 17
4.2.3 Time to Process Certificate Applications ................................................................................................ 17
4.2.4 Certificate Authority Authorization (CAA) ............................................................................................. 17
4.3 Certificate Issuance...................................................................................................................................... 17
4.3.1 Issuing CA actions during Certificate issuance ....................................................................................... 17
4.3.2 Notification to Subscriber by the CA of Certificate issuance .................................................................... 17
4.4 Certificate Acceptance ................................................................................................................................. 17
4.4.1 Conduct constituting Certificate acceptance ......................................................................................... 17
4.4.2 Publication of the Certificate by the CA ................................................................................................. 17
4.4.3 Notification of Certificate issuance by the CA to other entities ................................................................ 17
4.5 Key Pair and Certificate Usage ...................................................................................................................... 18
4.5.1 Subject Private Key and Certificate Usage .............................................................................................. 18
4.5.2 Relying Party Public Key and Certificate Usage ....................................................................................... 18
4.6 Certificate Renewal ...................................................................................................................................... 18
4.6.1 Circumstance for Certificate Renewal ................................................................................................... 18
4.6.2 Who may request renewal? .................................................................................................................. 18
4.6.3 Processing Certificate Renewal Request ................................................................................................ 18
4.6.4 Notification of new Certificate Issuance to Subject ................................................................................ 18
4.6.5 Conduct Constituting Acceptance of a Renewal Certificate ..................................................................... 18
4.6.6 Publication of the Renewal Certificate by the CA ................................................................................... 18
4.6.7 Notification of Certificate Issuance by the CA to the Entities ................................................................... 18
4.7 Certificate Re-key......................................................................................................................................... 18
4.7.1 Circumstances for Certificate Re-key ..................................................................................................... 19
4.7.2 Who may request certification of a new Public Key? ............................................................................... 19
4.7.3 Processing Certificate Re-keying Requests ............................................................................................. 19
4.7.4 Notification of new Certificate Issuance to Subscriber ............................................................................ 19
4.7.5 Conduct Constituting Acceptance of a Re-keyed Certificate .................................................................... 19
4.7.6 Publication of the Re-keyed Certificate by the CA ................................................................................... 19
4.7.7 Notification of Certificate Issuance by the CA to other Entities ................................................................ 19
4.8 Certificate Modification................................................................................................................................ 19
4.9 Certificate Revocation and Suspension .......................................................................................................... 20
4.9.1 Circumstances for Revocation .............................................................................................................. 20
4.9.2 Who can request revocation? ............................................................................................................... 20
4.9.3 Procedure for Revocation Request ........................................................................................................ 21
4.9.4 Revocation Request Grace Period ......................................................................................................... 21
4.9.5 Time within which CA must Process the Revocation Request .................................................................. 21
4.9.6 Revocation Checking Requirement for Relying Parties ............................................................................ 21
Siemens Issuing CA Certification Practice Statement
© Siemens AG 2022 Unrestricted / CC BY-SA4.0 Page 6 / 40
4.9.7 CRL Issuance Frequency ....................................................................................................................... 21
4.9.8 Maximum Latency for CRLs .................................................................................................................. 21
4.9.9 On-line Revocation Checking Requirements .......................................................................................... 21
4.9.10 Other Forms of Revocation Advertisements Available ............................................................................ 21
4.9.11 Special Requirements for Private Key Compromise ................................................................................. 21
4.9.12 Circumstances for Suspension .............................................................................................................. 21
4.10 Certificate Status Services ........................................................................................................................ 21
4.10.1 Operational Characteristics .................................................................................................................. 21
4.10.2 Service Availability .............................................................................................................................. 21
4.10.3 Optional Features ............................................................................................................................... 21
4.11 End of Subscription ................................................................................................................................. 21
4.12 Key Escrow and Recovery ......................................................................................................................... 22
5 Management, Operational, and Physical Controls ..................................... 23
5.1 Physical Security Controls ............................................................................................................................. 23
5.1.1 Site Location and Construction ............................................................................................................ 23
5.1.2 Physical Access ................................................................................................................................... 23
5.1.3 Power and Air Conditioning ................................................................................................................. 23
5.1.4 Water Exposure ................................................................................................................................... 23
5.1.5 Fire Prevention and Protection ............................................................................................................. 23
5.1.6 Media Storage .................................................................................................................................... 23
5.1.7 Waste Disposal.................................................................................................................................... 23
5.1.8 Off-site Backup ................................................................................................................................... 23
5.2 Procedural Controls ..................................................................................................................................... 23
5.2.1 Trusted Roles ...................................................................................................................................... 23
5.2.2 Numbers of Persons Required per Task .................................................................................................. 23
5.2.3 Identification and Authentication for each Role ..................................................................................... 23
5.2.4 Roles Requiring Separation of Duties .................................................................................................... 23
5.3 Personnel Security Controls .......................................................................................................................... 24
5.3.1 Qualifications, Experience and Clearance Requirements ......................................................................... 24
5.3.2 Background Check Procedures .............................................................................................................. 24
5.3.3 Training Requirements ........................................................................................................................ 24
5.3.4 Retraining Frequency and Requirements ............................................................................................... 24
5.3.5 Job Rotation Frequency and Sequence .................................................................................................. 24
5.3.6 Sanctions for Unauthorized Actions ...................................................................................................... 24
5.3.7 Independent Contractor Requirements ................................................................................................. 24
5.3.8 Documents Supplied to Personnel ........................................................................................................ 24
5.4 Audit Logging Procedures............................................................................................................................. 24
5.4.1 Types of Events Recorded .................................................................................................................... 24
5.4.2 Frequency of Processing Audit Logging Information .............................................................................. 24
5.4.3 Retention Period for Audit Logging Information..................................................................................... 24
5.4.4 Protection of Audit Logs ...................................................................................................................... 24
5.4.5 Backup Procedures for Audit Logging Information ................................................................................. 24
5.4.6 Collection System for Monitoring Information (internal or external) ........................................................ 24
Siemens Issuing CA Certification Practice Statement
© Siemens AG 2022 Unrestricted / CC BY-SA4.0 Page 7 / 40
5.4.7 Notification to Event-causing Subject ................................................................................................... 24
5.4.8 Vulnerability Assessments ................................................................................................................... 25
5.5 Records Archival .......................................................................................................................................... 25
5.5.1 Types of Records Archived ................................................................................................................... 25
5.5.2 Retention Period for Archived Audit Logging Information ....................................................................... 25
5.5.3 Protection of Archived Audit Logging Information ................................................................................. 25
5.5.4 Archive Backup Procedures .................................................................................................................. 25
5.5.5 Requirements for Time-Stamping of Record .......................................................................................... 25
5.5.6 Archive Collection System (internal or external) .................................................................................... 25
5.5.7 Procedures to Obtain and Verify Archived Information ........................................................................... 25
5.6 Key Changeover .......................................................................................................................................... 25
5.7 Compromise and Disaster Recovery ............................................................................................................... 26
5.7.1 Incident and Compromise Handling Procedures ..................................................................................... 26
5.7.2 Corruption of Computing Resources, Software, and/or Data ................................................................... 26
5.7.3 Entity Private Key Compromise Procedures ............................................................................................ 26
5.7.4 Business Continuity Capabilities After a Disaster .................................................................................... 26
5.8 CA Termination ........................................................................................................................................... 26
6 Technical Security Controls ........................................................................ 27
6.1 Key Pair Generation and Installation .............................................................................................................. 27
6.1.1 Key Pair Generation ............................................................................................................................. 27
6.1.2 Private Key Delivery to Subject ............................................................................................................. 27
6.1.3 Public Key Delivery to Certificate Issuer ................................................................................................. 27
6.1.4 CA Public Key delivery Relying Parties ................................................................................................... 28
6.1.5 Key Sizes ............................................................................................................................................ 28
6.1.6 Public Key Parameters Generation and Quality Checking ........................................................................ 28
6.1.7 Key Usage Purposes ............................................................................................................................ 28
6.2 Private Key Protection and Cryptographic Module Engineering Controls ........................................................... 28
6.2.1 Cryptographic Module Standards and Controls ...................................................................................... 28
6.2.2 Private Key (n out of m) Multi-person Control ........................................................................................ 28
6.2.3 Private Key Escrow .............................................................................................................................. 28
6.2.4 Private Key Backup .............................................................................................................................. 28
6.2.5 Private Key Archival ............................................................................................................................. 28
6.2.6 Private Key Transfer into or from a Cryptographic Module ...................................................................... 28
6.2.7 Storage of Private Keys on the Cryptographic Module ............................................................................ 28
6.2.8 Method of Activating Private Key .......................................................................................................... 29
6.2.9 Method of Deactivating Private Key ...................................................................................................... 29
6.2.10 Method of Destroying Private Key ......................................................................................................... 29
6.2.11 Cryptographic Module Rating............................................................................................................... 29
6.3 Other Aspects of Key Pair Management ......................................................................................................... 29
6.3.1 Public Key Archival .............................................................................................................................. 29
6.3.2 Certificate Operational Periods and Key Pair Usage Periods ..................................................................... 29
6.4 Activation Data ............................................................................................................................................ 30
6.4.1 Activation Data Generation and Installation .......................................................................................... 30
Siemens Issuing CA Certification Practice Statement
© Siemens AG 2022 Unrestricted / CC BY-SA4.0 Page 8 / 40
6.4.2 Activation Data Protection ................................................................................................................... 30
6.4.3 Other Aspects of Activation Data .......................................................................................................... 30
6.5 Computer Security Controls .......................................................................................................................... 30
6.6 Life Cycle Security Controls........................................................................................................................... 30
6.6.1 System Development Controls ............................................................................................................. 30
6.6.2 Security Management Controls ............................................................................................................ 30
6.6.3 Life Cycle of Security Controls .............................................................................................................. 31
6.7 Network Security Controls ............................................................................................................................ 31
6.8 Time Stamp Process ..................................................................................................................................... 31
7 Certificate, CRL, and OCSP Profiles ............................................................. 32
7.1 Certificate Profile ......................................................................................................................................... 32
7.1.1 Version Number .................................................................................................................................. 32
7.1.2 Certificate Extensions .......................................................................................................................... 32
7.1.3 Algorithm Object Identifiers ................................................................................................................. 33
7.1.4 Name Forms ....................................................................................................................................... 33
7.1.5 Name Constraints ............................................................................................................................... 35
7.1.6 Certificate Policy Object Identifier ........................................................................................................ 35
7.1.7 Usage of Policy Constraints Extension ................................................................................................... 35
7.1.8 Policy Qualifiers Syntax and Semantics ................................................................................................. 35
7.1.9 Processing Semantics for the Critical Certificate Policies Extension .......................................................... 35
7.2 CRL Profile .................................................................................................................................................. 36
7.2.1 Version Number .................................................................................................................................. 36
7.2.2 CRL and CRL Entry Extensions .............................................................................................................. 36
7.3 OCSP Profile ................................................................................................................................................ 36
7.3.1 Version Number .................................................................................................................................. 36
7.3.2 OCSP Extensions ................................................................................................................................. 36
8 Compliance Audit and Other Assessment .................................................. 37
9 Other Business and Legal Matters .............................................................. 38
10 References .................................................................................................. 39
Annex A: Acronyms and Definitions ......................................................................... 40
A.1 Definitions ..................................................................................................................................................... 40
A.2 Abbreviations ................................................................................................................................................. 40
Siemens Issuing CA Certification Practice Statement
© Siemens AG 2022 Unrestricted / CC BY-SA4.0 Page 9 / 40
1 Introduction This document has been structured according to RFC 3647 “Internet X.509 Public Key Infrastructure: Certificate Policy and
Certification Practices Framework” (Nov 2003) [RFC3647].
1.1 Overview
This Certification Practice Statement (CPS) defines
• measures and procedures in the context of the Certification Services performed by the Siemens Issuing CAs
• minimum requirements demanded from all PKI participants
The CPS details the procedures and controls in place to meet the CP requirements. For identical topics, the respective
chapter in the CP is referenced.
If new Issuing CAs may be introduced in the future additional CPS documents may be created, to cover special
requirements.
The picture of the Siemens PKI hierarchy can be found in the Siemens Root CA CPS.
The following table lists the currently operated Issuing CAs as well as the requirements upon their issued certificates
according to [ETSI EN TS 319 411-1] including the respective secure devices. Minimum requirement is NCP.
Issuing CA
Requirements for issued certificates
ETSI quality level
Secure device
Expiry date NCP+ OVCP DVCP SmartCard SmartPhone HSM NwSC
ZZZZZZB2 Siemens Issuing CA EE Auth 2020 29 / 6 / 2026
X X
ZZZZZZB3 Siemens Issuing CA EE Enc 2020 29 / 6 / 2026
X X X X
ZZZZZZBD Siemens Issuing CA EE Network Smartcard Auth 2020 29 / 6 / 2026
X X
ZZZZZZB6 Siemens Issuing CA Medium Strength Authentication 2020 29 / 6 / 2026
ZZZZZZD3_Siemens_Issuing_CA_EE_Enc_2021 28/7/2025 X X X X
ZZZZZZD2_Siemens_Issuing_CA_EE_Auth_2021 28/7/2025 X X
ZZZZZZDD_Siemens_Issuing_CA_EE_Network_Smartcard_Auth_2021 28/7/2025 X X
ZZZZZZD6_Siemens_Issuing_CA_Medium_Strength_Authentication_2021 28/7/2025
ZZZZZZVN Siemens Issuing CA Class PGP
Table 1: Issuing CA Implementation of ETSI requirements
Siemens Issuing CAs issue Certificates to the below-specified groups of End Entities or class of applications with common
security requirements (“Communities”).
For Siemens PKI the following Communities exist:
• Siemens Employee (S-E)
• Functional Group (FG)
• Business Partner (BP)
• Device (e.g. Server - SRV)
Siemens Issuing CA Certification Practice Statement
© Siemens AG 2022 Unrestricted / CC BY-SA4.0 Page 10 / 40
1.2 Document Name and Identification
This CPS is referred to as the ‘Certification Practice Statement of Siemens Issuing CAs’.
Title: Certification Practice Statement of Siemens Issuing CAs
OID: 1.3.6.1.4.1.4329.99.2.2.1.14.0
Expiration: This version of the document is the most current one until a subsequent release is published.
1.3 PKI Participants
PKI Participants are Siemens Certification Authorities, Registration Authorities, Subjects, and Relying Parties.
1.3.1 Certification Authorities
Specified in the Certificate Policy.
CN Issuing CA Requirements for issued certificates
Serial Number Fingerprint (SHA-256) Siemens Issuing CA EE Auth 2020 1612481459 54ad4835f53a97359b8fcfed3673b789e02d6aba
Siemens Issuing CA EE Enc 2020 1193594809 87e3400cf7134307703bf3b5877bf7bba20a1b8b
Siemens Issuing CA EE Network Smartcard Auth 2020 423179014 39c3d2eec1dab87543a4530a64336305c4609b56
Siemens Issuing CA Medium Strength Authentication 2020 2087201717 5fb4053eeed694159f2572590a82d51ebefb532d
Siemens_Issuing_CA_EE_Enc_2021 106386579513637954659413881725686618472 f876cb6e92dc1331bcd21502ed7684aeceffb634
Siemens_Issuing_CA_EE_Auth_2021 89533796050945642830274626805501525289 0a1fc331077933449ef400c2987bc28221b41af2
Siemens_Issuing_CA_EE_Network_Smartcard_Auth_2021 113004485407376788807553538973532531607 3ec109f818c158a6632a4e331a282294cf687f88
Siemens_Issuing_CA_Medium_Strength_Authentication_2021 5b4455b948679b326df9fce067116f13ce02e4df 16e588c0d5a71353cd95b045cf60c009f55cf4d6
Siemens Issuing CA Class PGP
1.3.2 Registration Authorities
Specified in the Certificate Policy.
1.3.3 Subscribers
Specified in the Certificate Policy.
1.3.4 Relying Parties
Specified in the Certificate Policy.
1.3.5 Other participants
Specified in the Certificate Policy.
Siemens Issuing CA Certification Practice Statement
© Siemens AG 2022 Unrestricted / CC BY-SA4.0 Page 11 / 40
1.4 Certificate Usage
1.4.1 Appropriate Certificate Usage
Specified in the Certificate Policy.
1.4.2 Prohibited Certificate Usage
Specified in the Certificate Policy.
1.5 Policy Administration
1.5.1 Organization Administering the Document
Specified in the Certificate Policy.
1.5.2 Contact Person
Specified in the Certificate Policy.
Siemens Issuing CA Certification Practice Statement
© Siemens AG 2022 Unrestricted / CC BY-SA4.0 Page 12 / 40
2 Publication and Repository Responsibilities
2.1 Repositories
Specified in the Certificate Policy.
2.2 Publication of Certification Information
Specified in the Certificate Policy.
2.3 Time or Frequency of Publication
Specified in the Certificate Policy.
2.4 Access Controls on Repositories
Specified in the Certificate Policy.
Siemens Issuing CA Certification Practice Statement
© Siemens AG 2022 Unrestricted / CC BY-SA4.0 Page 13 / 40
3 Identification and Authentication
3.1 Naming
3.1.1 Types of Names
Specified in the Certificate Policy.
3.1.2 Need of Names to be Meaningful
Specified in the Certificate Policy.
3.1.3 Anonymity or Pseudonymity of Subscribers
Specified in the Certificate Policy.
3.1.4 Rules for Interpreting Various Name Forms
Specified in the Certificate Policy.
3.1.5 Uniqueness of Names
Specified in the Certificate Policy.
3.1.6 Recognition, Authentication, and Roles of Trademarks
Specified in the Certificate Policy.
Siemens Issuing CA Certification Practice Statement
© Siemens AG 2022 Unrestricted / CC BY-SA4.0 Page 14 / 40
3.2 Initial Identity Validation
3.2.1 Method to Prove Possession of Private Key
Specified in the Certificate Policy.
3.2.2 Identification and Authentication of Organization Identity
3.2.2.1 Identity and Country
All certificates are issued with the following information as part of the Subject Distinguished Name:
For the Siemens 2020 Hierarchy and before:
• O = Siemens • L= Muenchen
• S = Bayern • C = DE
For the Siemens 2021 Hierarchy
• O = Siemens • S = Bayern • C = DE
3.2.2.2 Identification and authentication of Organizations
All certificates are issued with the subject organization Siemens as stated in 3.2.2.1. The information is verified according to business registration München, HRB 6684; WEEE-Reg.-Nr. DE 23691322 and is authorized by Siemens management.
Certificates are not issued for legal entities. Siemens AG acts as the RA and authenticates the organizations that are named in the certificate. This means that the only organization entries permitted in the DN field “O” is “Siemens” for the CAs of the Siemens AG. Since the registered office of the organization (“Siemens”) is relevant for the DN fields “C” and “S”, the only value permitted for this entries are “C”=“DE” and “S”=”Bayern”.
For Siemens 2020 and 2016 Hierarchy the Locality attribute is permitted “L”=”Muenchen”.
3.2.2.3 DBA / Tradename
No DBA / Tradename except of “Siemens” is to be included in a server certificate.
3.2.2.4 Validation of Domain Authorization or Control
Siemens CA only issues certificates for domains that are controlled by Siemens Community. Siemens CA performs the validation of domain authorization. Siemens CA sends emails with a 64 character long string (“Random Value”) consisting of upper and lower characters and digits to the Domain Contacts according the WHOIS -record (3.2.2.4.2) and the constructed email addresses (3.2.2.4.4) of every FQDN to validate. The Random Value is different for every receiver.
Siemens Issuing CA Certification Practice Statement
© Siemens AG 2022 Unrestricted / CC BY-SA4.0 Page 15 / 40
If one of the Domain Contacts approves the domain validation request by transmitting the Random Value back to the Siemens CA by the use of a web site, the domain is validated. Siemens CA stopped the issuance of publicly trusted TLS certificates on October 15 th 2019.
3.2.2.5 Wildcard Domain Validation
Siemens CA stopped the issuance of publicly trusted TLS certificates on October 15 th 2019.
3.2.3 Identification and Authentication of Individual Identity
3.2.3.1 End Entity Names
EE Certificates contain commonly understood names permitting the determination of the identity of the individual. The following attributes are directly. Natural persons must provide unambiguous proof of their identity Natural persons are identified and authenticated in the control sphere of the subscriber as the RA. Basis for First Name, Last Name, GID and E-Mail address is an entry in the Corporate Directory based on HR processes or sponsorship by an employee of Siemens or a subsidiary or an affiliate. “E-Mail” is based on the assigned e-mail address in the Corporate Directory which is in the control sphere of the subscriber as the RA. Only mail domains under the control of Siemens, its subsidiaries and affiliates and divested entities as reflected by the name constraints of the Issuing CA. SmartCards are only handed over after unambiguous proof of the holder’s identity by the RA or its representatives.
3.2.4 Non-verified Subscriber Information
Specified in the Certificate Policy.
3.2.5 Validation of Authority
Specified in the Certificate Policy.
3.2.6 Criteria for Interoperation between Communities of Trusts
Specified in the Certificate Policy.
3.3 Identification and Authentication for Re-key Requests
Specified in the Certificate Policy.
3.4 Identification and Authentication for Revocation Requests
Specified in the Certificate Policy.
Siemens Issuing CA Certification Practice Statement
© Siemens AG 2022 Unrestricted / CC BY-SA4.0 Page 16 / 40
4 Certificate Lifecycle Operational Requirements
The table below sets forth the responsibilities for each type of Subscriber and Certificate Authentication/Digital Signatures (“A/D Certificate”); Encryption (“E Certificate”); and server Certificate (S Certificate)). For End Entity Certificates, Siemens Issuing CA does not provide “Renewal” and “Modification” operations, because these are covered by the “Re -key” process.
Abbreviations: “End Entity” = EE; “Authorized Party” = AP; “Siemens Sponsor” = SS; PKI Self Service = PKISS Certificate holder Certificate lifecycle
Community Subscriber Initial
Application Renewal Re-Key Modification Revocation
Siemens Community
Siemens Employee • A/D
Certificate • E Certificate • EFS
Certificate
AP via RA Not performed EE or AP via RA or MyPKI
Not performed EE or AP via RA or MyPKI (only for E Cert)
Siemens Functional Group • A/D
Certificate • E Certificate • Code
Signing
AP via RA Not performed AP or SS via RA
Not performed AP or SS via RA
Business Partner Community
Business Partner • A/D
Certificate • E Certificate • Multi
Purpose Certificate
SS or AP via RA
Not performed EE, or AP via RA or MyPKI
Not performed AP or SS via RA and EE via MyPKI
Table 2: Certificate lifecycle for Siemens Issuing CAs
4.1 Certificate Application
4.1.1 Who can submit a certificate application?
Members of the Siemens Community and Business Partner Community can act as Certificate Applicants.
4.1.2 Enrollment Process and Responsibilities
Specified in the Certificate Policy.
Siemens Issuing CA Certification Practice Statement
© Siemens AG 2022 Unrestricted / CC BY-SA4.0 Page 17 / 40
4.2 Certificate Application Processing
4.2.1 Performing identification and authentication functions
Specified in the Certificate Policy.
4.2.2 Approval or Rejection of Certificate Applications
Specified in the Certificate Policy.
4.2.3 Time to Process Certificate Applications
Specified in the Certificate Policy.
4.2.4 Certificate Authority Authorization (CAA)
Specified in the Certificate Policy.
4.3 Certificate Issuance
4.3.1 Issuing CA actions during Certificate issuance
Specified in the Certificate Policy.
4.3.2 Notification to Subscriber by the CA of Certificate issuance
Specified in the Certificate Policy.
4.4 Certificate Acceptance
4.4.1 Conduct constituting Certificate acceptance
Specified in the Certificate Policy.
4.4.2 Publication of the Certificate by the CA
Subscriber Certificates will be published in the Repository according to the following table.
Siemens SCD Siemens AD External Repository
Repository Classification internal Internal External
Authentication Certificates No No No
Encryption Certificates Yes Yes Yes
Multipurpose Certificates No No Yes
EFS Certificates No No No
Code Signing Certificates No No No
Server Certificates No No No
Table 3: Publication of Subscriber Certificates
4.4.3 Notification of Certificate issuance by the CA to other entities
Specified in the Certificate Policy.
Siemens Issuing CA Certification Practice Statement
© Siemens AG 2022 Unrestricted / CC BY-SA4.0 Page 18 / 40
4.5 Key Pair and Certificate Usage
4.5.1 Subject Private Key and Certificate Usage
For the Siemens Community Subjects (Siemens employees and Functional Groups): the Siemens Issuing CAs or the
respective RAs have the responsibility of informing each Subjects of these responsibilities and any applicable limitations on
the use of Certificates and Key Pairs imposed by Siemens-internal policies in accordance with employment law and practice
governing the respective RA.
For the Business Partner Community Subjects, who are individuals and independent contractors: the Siemens Sponsor or
its RA is responsible for informing Subjects of these responsibilities and any such limitations on use imposed by Siemens-
internal policies in accordance with employment law and practice. For the Business Partner Community Subjects, who are
employees or agents of legal entities which are Business Partners, the respective RA of the Business Partner has the
responsibility of informing each Subject of these responsibilities and any applicable limitations on use imposed by the
Business Partner-internal policies in accordance with employment law and practice governing the respective RA.
For the Server Community Subjects: the Siemens Issuing CAs or the respective RAs have the responsibility of informing
each Subject of these responsibilities and any applicable limitations on the use of Certificates and Key Pairs imposed by
Siemens-internal policies in accordance with employment law and practice governing the respective RA.
4.5.2 Relying Party Public Key and Certificate Usage
Specified in the Certificate Policy.
4.6 Certificate Renewal
Specified in the Certificate Policy.
4.6.1 Circumstance for Certificate Renewal
Specified in the Certificate Policy.
4.6.2 Who may request renewal?
Specified in the Certificate Policy.
4.6.3 Processing Certificate Renewal Request
Specified in the Certificate Policy.
4.6.4 Notification of new Certificate Issuance to Subject
Specified in the Certificate Policy.
4.6.5 Conduct Constituting Acceptance of a Renewal Certificate
Specified in the Certificate Policy.
4.6.6 Publication of the Renewal Certificate by the CA
Specified in the Certificate Policy.
4.6.7 Notification of Certificate Issuance by the CA to the Entities
Specified in the Certificate Policy.
4.7 Certificate Re-key
Specified in the Certificate Policy.
Siemens Issuing CA Certification Practice Statement
© Siemens AG 2022 Unrestricted / CC BY-SA4.0 Page 19 / 40
4.7.1 Circumstances for Certificate Re-key
Specified in the Certificate Policy.
4.7.2 Who may request certification of a new Public Key?
Specified in the Certificate Policy.
4.7.3 Processing Certificate Re-keying Requests
Specified in the Certificate Policy.
4.7.4 Notification of new Certificate Issuance to Subscriber
Specified in the Certificate Policy.
4.7.5 Conduct Constituting Acceptance of a Re-keyed Certificate
Specified in the Certificate Policy.
4.7.6 Publication of the Re-keyed Certificate by the CA
Specified in the Certificate Policy.
4.7.7 Notification of Certificate Issuance by the CA to other Entities
Specified in the Certificate Policy.
4.8 Certificate Modification
Specified in the Certificate Policy.
Siemens Issuing CA Certification Practice Statement
© Siemens AG 2022 Unrestricted / CC BY-SA4.0 Page 20 / 40
4.9 Certificate Revocation and Suspension
4.9.1 Circumstances for Revocation
Siemens CA shall revoke a Certificate within 24 hours if one or more of the following occurs:
I. The Subscriber requests in writing that Siemens CA revokes the Certificate;
II. The Subscriber notifies Siemens CA that the original certificate request was not authorized and does not retroactively grant authorization;
III. Siemens CA obtains evidence that the Subscriber's Private Key corresponding to the Public Key in the Certificate suffered a Key Compromise;
IV. Siemens CA is made aware of a demonstrated or proven method that can easily compute the Subscriber's Private Key based on the Public Key in the Certificate (such as a Debian weak key, see https://wiki.debian.org/SSLkeys);
V. Siemens CA obtains evidence that the validation of domain authorization or control for any Fully -Qualified Domain Name,e-mail address or IP address in the Certificate should not be relied upon.
Siemens CA should revoke a certificate within 24 hours and must revoke a Certificate within 5 days if one or more of the following occurs:
I. The Certificate no longer complies with the requirements of Sections 6.1.5 and 6.1.6;
II. Siemens CA obtains evidence that the Certificate was misused;
III. Siemens CA is made aware that a Subscriber has violated one or more of its material obligations under the Subscriber Agreement or Terms of Use;
IV. Siemens CA is made aware of any circumstance indicating that use of a Fully-Qualified Domain Name or IP address in the Certificate is no longer legally permitted (e.g. a court or arbitrator has revoked a Domain Name Registrant's right to use the Domain Name, a relevant licensing or services agreement between the Domain Name Registrant and the Applicant has terminated, or the Domain Name Registrant has failed to renew the Domain Name);
V. Siemens CA is made aware that a Wildcard Certificate has been used to authenticate a fraudulently misleading subordinate Fully-Qualified Domain Name;
VI. Siemens CA is made aware of a material change in the information contained in the Certificate;
VII. Siemens CA is made aware that the Certificate was not issued in accordance with these Requirements or Siemens CA's Certificate Policy or Certification Practice Statement;
VIII. Siemens CA determines or is made aware that any of the information appearing in the Certificate is inaccurate;
IX. Siemens CA's right to issue Certificates under these Requirements expires or is revoked or terminated, unless Siemens CA has made arrangements to continue maintaining the CRL/OCSP Repository;
X. Revocation is required by Siemens CA's Certificate Policy and/or Certification Practice Statement; or
XI. Siemens CA is made aware of a demonstrated or proven method that exposes the Subscriber's Private Key to compromise or if there is clear evidence that the specific method used to generate the Private Key was flawed.
4.9.2 Who can request revocation?
The following entities may request revocation of an End Entity Certificate.
• The Subscriber, RA, or Issuing CA can initiate revocation.
• Additionally, Subscribers, Relying Parties, Application Software Suppliers, and other third parties may submit Certificate Problem Reports informing the issuing CA of reasonable cause to revoke the certificate.
Siemens Issuing CA Certification Practice Statement
© Siemens AG 2022 Unrestricted / CC BY-SA4.0 Page 21 / 40
• Only duly authorized representative of the organization (i.e., Authorized Party or Siemens Sponsor, CP/CPS §4.1.1) may request the revocation of Certificates issued to the organization.
4.9.3 Procedure for Revocation Request
Specified in the Certificate Policy.
4.9.4 Revocation Request Grace Period
Specified in the Certificate Policy.
4.9.5 Time within which CA must Process the Revocation Request
Specified in the Certificate Policy.
4.9.6 Revocation Checking Requirement for Relying Parties
Specified in the Certificate Policy.
4.9.7 CRL Issuance Frequency
Specified in the Certificate Policy.
4.9.8 Maximum Latency for CRLs
Specified in the Certificate Policy.
4.9.9 On-line Revocation Checking Requirements
Specified in the Certificate Policy.
4.9.10 Other Forms of Revocation Advertisements Available
Specified in the Certificate Policy.
4.9.11 Special Requirements for Private Key Compromise
Specified in the Certificate Policy.
4.9.12 Circumstances for Suspension
Specified in the Certificate Policy.
4.10 Certificate Status Services
4.10.1 Operational Characteristics
Specified in the Certificate Policy.
4.10.2 Service Availability
Specified in the Certificate Policy.
4.10.3 Optional Features
Specified in the Certificate Policy.
4.11 End of Subscription
Specified in the Certificate Policy.
Siemens Issuing CA Certification Practice Statement
© Siemens AG 2022 Unrestricted / CC BY-SA4.0 Page 22 / 40
4.12 Key Escrow and Recovery
Specified in the Certificate Policy.
Siemens Issuing CA Certification Practice Statement
© Siemens AG 2022 Unrestricted / CC BY-SA4.0 Page 23 / 40
5 Management, Operational, and Physical Controls
Specified in the Root CA CPS.
5.1 Physical Security Controls
5.1.1 Site Location and Construction
Specified in the Certificate Policy.
5.1.2 Physical Access
Specified in the Certificate Policy.
5.1.3 Power and Air Conditioning
Specified in the Certificate Policy.
5.1.4 Water Exposure
Specified in the Certificate Policy.
5.1.5 Fire Prevention and Protection
Specified in the Certificate Policy.
5.1.6 Media Storage
Specified in the Certificate Policy.
5.1.7 Waste Disposal
Specified in the Certificate Policy.
5.1.8 Off-site Backup
Specified in the Certificate Policy.
5.2 Procedural Controls
5.2.1 Trusted Roles
Specified in the Certificate Policy.
5.2.2 Numbers of Persons Required per Task
Specified in the Certificate Policy.
5.2.3 Identification and Authentication for each Role
Specified in the Certificate Policy.
5.2.4 Roles Requiring Separation of Duties
Specified in the Certificate Policy.
Siemens Issuing CA Certification Practice Statement
© Siemens AG 2022 Unrestricted / CC BY-SA4.0 Page 24 / 40
5.3 Personnel Security Controls
5.3.1 Qualifications, Experience and Clearance Requirements
Specified in the Certificate Policy.
5.3.2 Background Check Procedures
Specified in the Certificate Policy.
5.3.3 Training Requirements
Specified in the Certificate Policy.
5.3.4 Retraining Frequency and Requirements
Specified in the Certificate Policy.
5.3.5 Job Rotation Frequency and Sequence
Specified in the Certificate Policy.
5.3.6 Sanctions for Unauthorized Actions
Specified in the Certificate Policy.
5.3.7 Independent Contractor Requirements
Specified in the Certificate Policy.
5.3.8 Documents Supplied to Personnel
Specified in the Certificate Policy.
5.4 Audit Logging Procedures
Specified in the Certificate Policy.
5.4.1 Types of Events Recorded
Specified in the Certificate Policy.
5.4.2 Frequency of Processing Audit Logging Information
Specified in the Certificate Policy.
5.4.3 Retention Period for Audit Logging Information
Specified in the Certificate Policy.
5.4.4 Protection of Audit Logs
Specified in the Certificate Policy.
5.4.5 Backup Procedures for Audit Logging Information
Specified in the Certificate Policy.
5.4.6 Collection System for Monitoring Information (internal or external)
Specified in the Certificate Policy.
5.4.7 Notification to Event-causing Subject
Siemens Issuing CA Certification Practice Statement
© Siemens AG 2022 Unrestricted / CC BY-SA4.0 Page 25 / 40
Specified in the Certificate Policy.
5.4.8 Vulnerability Assessments
Specified in the Certificate Policy.
5.5 Records Archival
5.5.1 Types of Records Archived
Specified in the Certificate Policy.
5.5.2 Retention Period for Archived Audit Logging Information
Specified in the Certificate Policy.
5.5.3 Protection of Archived Audit Logging Information
Specified in the Certificate Policy.
5.5.4 Archive Backup Procedures
Specified in the Certificate Policy.
5.5.5 Requirements for Time-Stamping of Record
Specified in the Certificate Policy.
5.5.6 Archive Collection System (internal or external)
Specified in the Certificate Policy.
5.5.7 Procedures to Obtain and Verify Archived Information
Specified in the Certificate Policy.
5.6 Key Changeover
Keys expire at the same time as their associated Certificates. Key Changeover must occur before the expiration of its
Certificates (stop issuance date) and shall be performed manually.
CA Validity period Operational period
(Stop Issuance Date)
Siemens Issuing CA 8 years
1 year
At “Stop Issuance Date” Siemens CA stops issuing Certificates with old key and initiate generation of new keys. The new
Certificate of the new Public Key is published. Certificate Requests received after the “Stop Issuance Date,” will be signed
with the new CA Private Key.
Siemens Issuing CA Certification Practice Statement
© Siemens AG 2022 Unrestricted / CC BY-SA4.0 Page 26 / 40
5.7 Compromise and Disaster Recovery
5.7.1 Incident and Compromise Handling Procedures
Specified in the Certificate Policy.
5.7.2 Corruption of Computing Resources, Software, and/or Data
Specified in the Certificate Policy.
5.7.3 Entity Private Key Compromise Procedures
Specified in the Certificate Policy.
5.7.4 Business Continuity Capabilities After a Disaster
Specified in the Certificate Policy.
5.8 CA Termination
Specified in the Certificate Policy.
Siemens Issuing CA Certification Practice Statement
© Siemens AG 2022 Unrestricted / CC BY-SA4.0 Page 27 / 40
6 Technical Security Controls
Specified in the Root CA CPS.
6.1 Key Pair Generation and Installation
6.1.1 Key Pair Generation
The Applicant or Subscriber is required to generate or initiate the generation of a new key-pair to be used in association
with the subscriber’s certificate request or applicant’s certificate application, complying to the minimum requirements as
documented here and in ‘PKI3_EE_Policies’.
The CA will reject a Certificate request if one or more of the following conditions are met:
(i) The Key Pair does not meet the requirements set forth in §6.1.5 and/or §6.1.6;
(ii) There is clear evidence that the specific method used to have generate the Private Key was flawed;
(iii) The CA is aware of a demonstrated or proven method that exposes the Private Key to compromise;
(iv) The CA has previously been made aware that the Private Key has suffered a Key Compromise, such as through
the provisions of Section 4.9.1;
(v) The CA is aware of a demonstrated or proven method to easily compute the Private Key based on the Public
Key (such as a Debian weak key, see https://wiki.debian.org/SSLkeys).
Client Certificates:
I. In order to support key backup, the CA may optionally provide a service to generate the Key Pair on behalf of the
Applicant or Subscriber, in this case the related certificate signing request MUST NOT request the attribute
extended key-usage set to ‘non-repudiation’.
6.1.2 Private Key Delivery to Subject
During the operation of the Siemens Issuing CAs, the trusted operator ensures that the CAs’ Private Key do not leave its
secure facility.
For an Authentication/Digital Signatures Certificate, there is no delivery of Private Key to Subscribers because each
Subscriber will generate his own Private Key with the Secure Signature Creation Device (“SSCD”). For a Encryption
Certificate, the Private Key will be securely delivered to the Subject through the respective RA, either by physically handing
the Private Key to the Subject in person after Validation of Subject’s identity or by securely mailing or delivering via cou rier
the Private Key with procedure for Validation of Subject’s identity or through PKISS /MyPKI.
For Server Certificates the Certificate Applicant is responsible for the security of the private key. The Siemens Issuing CA
does not store or generate this key. No private keys for SSL/TLS certificate are delivered to the subscriber.
6.1.3 Public Key Delivery to Certificate Issuer
Compare chapter 4.4.2.
Siemens Issuing CA Certification Practice Statement
© Siemens AG 2022 Unrestricted / CC BY-SA4.0 Page 28 / 40
6.1.4 CA Public Key delivery Relying Parties
Specified in the Root CA CPS.
6.1.5 Key Sizes
Specified in the Root CA CPS.
6.1.6 Public Key Parameters Generation and Quality Checking
Specified in the Root CA CPS.
6.1.7 Key Usage Purposes
Specified in the Root CA CPS.
6.2 Private Key Protection and Cryptographic Module Engineering Controls
6.2.1 Cryptographic Module Standards and Controls
Specified in the Root CA CPS.
6.2.2 Private Key (n out of m) Multi-person Control
Specified in the Root CA CPS.
6.2.3 Private Key Escrow
For End Entity Subscribers having an Encryption Certificate, the Private Key will be escrowed by Siemens CA’s trusted
operator. For End Entity Subscribers having the Authentication/Digital Certificate/Server Certificates, there is no
stipulation.
6.2.4 Private Key Backup
For Private Keys of Issuing CAs, separate backup hardware cryptographic modules are used and kept secure at separate sites in the trusted operator’s backup locations during operation of the Issuing CA. The following requirements apply to Issuing CA Private Keys.
1. Hardware cryptographic modules used for Issuing CA Private Key storage are to meet the requirements of §6.2.1. 2. Issuing CA Private Keys are copied to backup hardware cryptographic modules in accordance with §6.2.6. 3. Modules containing onsite backup copies and disaster recovery copies of Issuing CA Private Keys are subject to the
requirements of §5.1 and §6.2.1. §6.2.3 addresses the backup of Subscriber Private Keys.
6.2.5 Private Key Archival
Issuing CA Private Key archival: Compare chapter 6.2.4. End Entity Subscriber Private Key archival: When Key Pairs reach the end of their Validity Period, the Key Pair will be archived for a period of at least thirty (30) years. This is only applicable for Encryption Certificates.
6.2.6 Private Key Transfer into or from a Cryptographic Module
Private Keys of the Issuing CAs are securely stored exclusively on hardware cryptographic modules.
6.2.7 Storage of Private Keys on the Cryptographic Module
Issuing CA Private Keys are stored on hardware cryptographic modules with Common Criteria (CC) Evaluation Assurance Level (EAL) 4+, which is generally equivalent to Information Technology Security Evaluation Criteria (ITSEC) assurance level E3. Where Issuing CA Key Pairs are backed up to an equivalent hardware cryptographic module, such Key Pairs are transported between modules in encrypted form inside the high security cell of the secure facility.
Siemens Issuing CA Certification Practice Statement
© Siemens AG 2022 Unrestricted / CC BY-SA4.0 Page 29 / 40
6.2.8 Method of Activating Private Key
Upon issuance, Issuing CA Private Keys are activated on the hardware cryptographic module in the trusted operator high security cell, which is witnessed by a representative of Siemens CA and at least two (2) authorized trusted operator employees and is documented for audit logging purposes. End Entity Subscriber Private Keys are generally activated through Subscriber’s use of Activation Data. All Siemens PKI Participants are required to protect the Activation Data for their Private Keys against loss, theft, modification, unauthorized disclosure, or unauthorized use.
6.2.9 Method of Deactivating Private Key
Issuing CA Private Keys on hardware cryptographic modules can be deactivated (and reactivated, if necessary) through deactivation software in the trusted operator’s high security cell, which is witnessed by at least two authorized trusted operator employees and is documented for audit logging purposes.
6.2.10 Method of Destroying Private Key
Issuing CA private keys are solely stored within cryptographic hardware modules (see 6.2.7). Their destruction (in case they are no longer needed) requires the participation of three trusted employees. When performed, the destruction process is logged. In case subject private keys are no longer needed, the corresponding certificate will be revoked. Due to key-recovery requirements for encryption keys, these keys will be securely archived by the corresponding Issuing CA. E.g. in case an employee leaves the company the corresponding employee card (which includes the private key) will be retracted and securely destroyed. The destruction process is documented accordingly.
6.2.11 Cryptographic Module Rating
Specified in the Root CA CPS.
6.3 Other Aspects of Key Pair Management
6.3.1 Public Key Archival
Specified in the Root CA CPS.
6.3.2 Certificate Operational Periods and Key Pair Usage Periods
The Issuing CA Key Pair usage period is subject to the Validity Period of the Certificates issued by the CA. The Validity Period of the Private Key and Public Key of Issuing CAs, RAs and Subjects ends upon its expiration or revocation. This Validity Period is based on the Validity Period of the Root CA Certificate set forth in the table below.
1:”The operational period of a Certificate ends upon its expiration or revocation. The operational period for Key Pairs is the same as the operational period for the associated Certificates, except that they may continue to be used for signature verification. The maximum operational periods for Root CA Certificates are set forth in table below. Certificate Validity Period Siemens Root CA Certificate Up to twelve (12) years “
2:”The Issuing CA Key Pair usage period is subject to the Validity Period of the Certificates issued by the CA. The Validity Period of the Private Key and Public Key of Issuing CAs, RAs and Subjects ends upon its expiration or revocation. This Validity Period is based on the Validity Period of the Root CA Certificate set forth in the table below.”
See table 4 below.
CA
Certificate Authentication/ Digital Signature
Certificate
Encryption Certificate
EFS Certificate
Server Certificate
Multi- purpose
Certficate
Code Signing
Certificate
Siemens Issuing CAs
6 N/A N/A N/A N/A N/A N/A
Siemens N/A 3 3 3 N/A N/A N/A
Siemens Issuing CA Certification Practice Statement
© Siemens AG 2022 Unrestricted / CC BY-SA4.0 Page 30 / 40
employee
Functional Group
N/A 1 1 N/A N/A N/A 3
Business Partner
N/A 1 1 N/A N/A 1 N/A
Servers N/A N/A N/A N/A 1 years + up to 92
days N/A N/A
Table 4 Validity Period of Certificates (in years from date of issuance)
Summarizing:
• Special purpose certificates like Code signing certificates may be valid up to 3 years
• Server certificates are are valid up to 1year plus 92 days.
• Siemens employee certificates may be valid up to 3 years
• Business partner certificates may be valid up to 1 year
6.4 Activation Data
Activation Data refers to data values other than whole Private Keys that are required to operate Private Keys or hardware cryptographic modules containing Private Keys, such as a PIN, password or portions of a Private Key used in a key-splitting scheme. Protection of Activation Data prevents unauthorized use of the Private Key, and potentially needs to be considered for the Siemens Issuing CA, RAs and Subjects. No Activation Data for Siemens Issuing CA Private Keys are currently provided by its trusted operator to ensure fully automated CA operation with a minimum of manual intervention.
6.4.1 Activation Data Generation and Installation
Specified in the Root CA CPS.
6.4.2 Activation Data Protection
Specified in the Root CA CPS.
6.4.3 Other Aspects of Activation Data
Specified in the Root CA CPS.
6.5 Computer Security Controls
Specified in the Root CA CPS.
6.6 Life Cycle Security Controls
6.6.1 System Development Controls
Specified in the Root CA CPS.
6.6.2 Security Management Controls
Specified in the Root CA CPS.
Siemens Issuing CA Certification Practice Statement
© Siemens AG 2022 Unrestricted / CC BY-SA4.0 Page 31 / 40
6.6.3 Life Cycle of Security Controls
Specified in the Root CA CPS.
6.7 Network Security Controls
Siemens is certified based on the requirements version ETSI EN 319 411-1 V2.2.1 , ETSI 319 401 V.2.2.2 as well as on
Network and Certificate System Security Requirements in Version 1.5 - Effective 19 October 2020.
6.8 Time Stamp Process
Specified in the Root CA CPS.
Siemens Issuing CA Certification Practice Statement
© Siemens AG 2022 Unrestricted / CC BY-SA4.0 Page 32 / 40
7 Certificate, CRL, and OCSP Profiles
All digital Certificates issued by the Issuing CAs comply with digital Certificate and CRL profiles as described in [RFC 5280].
7.1 Certificate Profile
CAs issue Certificates in accordance with the X.509 version 3. Certificate profiles for Root CA Certificate,
Subordinate CA Certificates and Subscriber Certificates are described in ’Siemens Trust Center PKI - CA Hierarchy Policy
2020’ and the sections below.
Certificates have a serial number greater than zero (0) that contains at least 64 unpredictable bits.
7.1.1 Version Number
Certificate serial numbers are not generated in sequence and length is 128 bit. Output is from an JAVA CSRNG.
All Certificates issued by the CAs are X.509 version 3 certificates.
7.1.2 Certificate Extensions
7.1.2.1 Root CA Certificate
Certificate extensions are as set as stipulated in IETF RFC 5280 and in accordance with ‘Siemens Trust Center PKI - CA
Hierarchy Policy 2020’.
7.1.2.2 Subordinate CA Certificate
Certificate extensions are as set as stipulated in IETF RFC 5280 and in accordance with ‘Siemens Trust Center PKI- CA
Hierarchy Policy 2020’.
Effective January 1, 2019, the extension requirements for extended key usage are:
(i) Must contain an EKU extension,
(ii) Must not include the anyExtendedKeyUsage EKU, and
(iii) Must not include either id-kp-serverAuth, id-kp-emailProtection, id-kp-codeSigning or id-kp-timeStamping EKUs in
the same certificate.
7.1.2.3 Subscriber Certificate
Certificate extensions are as set as stipulated in IETF RFC 5280 and in accordance with ‘Siemens Trust Center PKI- CA
Hierarchy Policy 2020’.
7.1.2.4 All Certificates
All other fields and extensions MUST be set in accordance with RFC 5280.
Siemens Issuing CA Certification Practice Statement
© Siemens AG 2022 Unrestricted / CC BY-SA4.0 Page 33 / 40
7.1.2.5 Application of RFC 5280
For purposes of clarification, a precertificate, as described in RFC 6962 (Certificate Transparency), shall not be considered
to be a “certificate” subject to the requirements of RFC 5280.
7.1.3 Algorithm Object Identifiers
7.1.3.1 SubjectPublicKeyInfo
For RSA, the CA will indicate an RSA key using the rsaEncryption (OID: 1.2.840.113549.1.1.1) algorithm identifier. The
parameters must be present and must be explicit NULL.
For ECDSA, the CA must indicate an ECDSA key using the id-ecPublicKey (OID: 1.2.840.10045.2.1)algorithm identifier. The
parameters must use the namedCurve encoding:
(i) For P-256 keys, the namedCurve must be secp256r1 (OID: 1.2.840.10045.3.1.7), or
(ii) For P-384 keys, the namedCurve must be secp384r1 (OID: 1.3.132.0.34).
7.1.3.2 SignatureAlgorithmIdentifier
All objects signed by a CA Private Key must conform to these requirements on the use of the AlgorithmIdentifier or
AlgorithmIdentifier-derived type in the context of signatures.
For RSA, the CA must use one of the following signature algorithms and encodings.
(i) RSASSA-PKCS1-v1_5 with SHA-256
(ii) RSASSA-PKCS1-v1_5 with SHA-384
(iii) RSASSA-PKCS1-v1_5 with SHA-512
For ECDSA, the CA must use the appropriate signature algorithm and encoding based upon the signing key used.
(iv) If the signing key is P-256, the signature MUST use ECDSA with SHA-256.
(v) If the signing key is P-384, the signature MUST use ECDSA with SHA-384.
(vi) If the signing key is P-521, the signature MUST use ECDSA with SHA-512.
7.1.4 Name Forms
7.1.4.1 Name Encoding
Name Encoding - Subject and Issuer Names for all possible certification paths MUST be byte-for-byte identical
Siemens Issuing CA 2020
Country - C Organization Name - O Common Name - CN
Siemens Issuing CA EE Auth 2020 - ZZZZZZD2
PRINTABLESTRING UTF8STRING UTF8STRING
Siemens Issuing CA Medium Strength Authentication 2020 - ZZZZZZD6
PRINTABLESTRING UTF8STRING UTF8STRING
Siemens Issuing CA Certification Practice Statement
© Siemens AG 2022 Unrestricted / CC BY-SA4.0 Page 34 / 40
Siemens Issuing CA EE Enc 2020 - ZZZZZZD3
PRINTABLESTRING UTF8STRING UTF8STRING
Siemens Issuing CA EE Network Smartcard 2020 - ZZZZZZDD
PRINTABLESTRING UTF8STRING UTF8STRING
Siemens Issuing CA 2021
Country - C Organization Name - O Common Name - CN
Siemens Issuing CA EE Enc 2021 - ZZZZZZD3
PRINTABLESTRING UTF8STRING UTF8STRING
Siemens Issuing CA EE Auth 2021 – ZZZZZZD2
PRINTABLESTRING UTF8STRING UTF8STRING
Siemens Issuing CA Medium Strength Authentication 2021 – ZZZZZZD6
PRINTABLESTRING UTF8STRING UTF8STRING
Siemens Issuing CA EE Network Smartcard 2021 - ZZZZZZDD
PRINTABLESTRING UTF8STRING UTF8STRING
For every valid Certification Path (as defined by RFC 5280, Section 6) for all Certificate and Subordinate CA Certificate, th e
following must be met:
(i) For each Certificate in the Certification Path, the encoded content of the issuer distinguished name field of a Certificate
shall be byte-for-byte identical with the encoded form of the Subject distinguished name field of the issuing CA certificate.
(ii) For each CA Certificate in the Certification Path, the encoded content of the Subject distinguished name field of a
Certificate shall be byte-for-byte identical among all Certificates whose Subject distinguished names can be compared as
equal according to RFC 5280, Section 7.1, and including expired and revoked Certificates
7.1.4.2 Subject Information – Subscriber Certificates
Subject information must meet the requirements stated in ‘Siemens Trust Center PKI - CA Hierarchy Policy 2020’.
Name forms for Subscriber Certificates are as stipulated in §3.1.1. All other optional attributes must contain information
that has been verified by the CA or RA. Optional attributes will not contain only metadata such as ‘.’, ‘ ‐‘, and ‘ ‘ (i.e. space)
characters, and/or any other indication that the value is absent, incomplete, or not applicable.
Entries in the dNSName are in the “preferred name syntax” as specified in IETF RFC 5280 and thus do not contain
underscore characters.
7.1.4.3 Subject Information – Root Certificates and Subordinate CA Certificates
Subject information must meet the requirements stated in ‘Siemens Trust Center PKI- CA Hierarchy Policy 2020’.
Siemens Issuing CA Certification Practice Statement
© Siemens AG 2022 Unrestricted / CC BY-SA4.0 Page 35 / 40
7.1.5 Name Constraints
CAs do not support the issuance of technically constrained Subordinate CA Certificates.
7.1.6 Certificate Policy Object Identifier
7.1.6.1 Reserved Certificate Policy Identifiers
Subscriber Certificates must include one of the following reserved Certificate Policy Identifiers, if the CA is asserting the
Certificate meets the associated certificate policy:
• SSL Certificates 2.23.140.1.2.2
• EV SSL Certificates 2.23.140.1.1
• Code Signing Certificates 2.23.140.1.4.1
• EV Code Signing Certificates 2.23.140.1.3
• Verified Mark Certificates 1.3.6.1.4.1.53087.1.1
7.1.6.2 Root CA Certificates
Root CA Certificates issued after January 1st 2020 do not contain the certificate policy object identifiers.
7.1.6.3 Subordinate CA Certificates
Subordinate CA Certificates must include either the “any policy” certificate policy object identifier or one or more explicit
certificate policy object identifiers that indicates compliance with a specific certificate policy.
Certificate policy object identifiers are listed in §7.1.6.1 and §7.1.6.4.
7.1.6.4 Subscriber Certificates
Certificates include one or more certificate policy identifiers.
Related policy identifiers can are documented in “‘Siemens Trust Center PKI- CA Hierarchy Policy 2020’.
7.1.7 Usage of Policy Constraints Extension
No stipulation.
7.1.8 Policy Qualifiers Syntax and Semantics
CAs include policy qualifiers in all Subscriber Certificates as stipulated in ‘Siemens Trust Center PKI- CA Hierarchy Policy
2020’.
7.1.9 Processing Semantics for the Critical Certificate Policies Extension
Certificate policies extension is marked Not Critical
Siemens Issuing CA Certification Practice Statement
© Siemens AG 2022 Unrestricted / CC BY-SA4.0 Page 36 / 40
7.2 CRL Profile
The following fields of the X.509 version 2 CRL format are used by the CAs:
• version: set to v2
• signature: identifier of the algorithm used to sign the CRL
• issuer: the full Distinguished Name of the CA issuing the CRL
• this update: time of CRL issuance
• next update: time of next expected CRL update
• revoked Certificates: list of revoked Certificate information
7.2.1 Version Number
No stipulation.
7.2.2 CRL and CRL Entry Extensions
No stipulation.
7.3 OCSP Profile
The profile for the Online Certificate Status Protocol (OCSP) messages issued by a CA conform to the specifications
contained in the IETF RFC 6960 Internet X.509 PKI Online Certificate Status Protocol (OCSP) Profile.
7.3.1 Version Number
No stipulation.
7.3.2 OCSP Extensions
The singleExtensions of an OCSP response shall not contain the reasonCode (OID 2.5.29.21) CRL entry extension.
Siemens Issuing CA Certification Practice Statement
© Siemens AG 2022 Unrestricted / CC BY-SA4.0 Page 37 / 40
8 Compliance Audit and Other Assessment
Specified in the Certificate Policy.
Siemens Issuing CA Certification Practice Statement
© Siemens AG 2022 Unrestricted / CC BY-SA4.0 Page 38 / 40
9 Other Business and Legal Matters
Specified in the Certificate Policy.
Siemens Issuing CA Certification Practice Statement
© Siemens AG 2022 Unrestricted / CC BY-SA4.0 Page 39 / 40
10 References
Specified in the Certificate Policy.