Certification Practice Statement

1. Introduction

This Certification Practice Statement (CPS) describes the practices and procedures employed by the HiLabs Certificate Authority (CA) in the issuance and management of digital certificates. This document outlines the legal, commercial, and technical principles of the HiLabs PKI.

2. Publication and Repository

HiLabs CA publishes its certificates, CRLs, and this CPS in its public repository available at https://ca.hilabs.eu. The repository is available 24/7.

3. Identification and Authentication

3.1 Initial Identity Validation: All certificate requests are subject to strict manual verification by authorized HiLabs administrators. No automated issuance is performed.

3.2 Domain Control: Sub-CAs are technically restricted via Name Constraints to domains owned and controlled by HiLabs. Verification of domain ownership is performed prior to Sub-CA issuance.

4. Certificate Life-Cycle Operational Requirements

4.1 Certificate Application: Requests must be submitted via the internal ticketing system.

4.2 Certificate Issuance: Upon successful verification and hand-approval by an administrator, the certificate is issued.

4.3 Certificate Revocation: Revocation requests are processed within 24 hours. The CRL is updated immediately upon revocation.
To report a key compromise or request revocation, please contact security@hilabs.eu immediately.

4.4 Certificate Status Checking: The status of certificates can be verified using the Online Certificate Status Protocol (OCSP) at http://ocsp.ca.hilabs.eu or by downloading the latest CRL from the repository.

5. Facility, Management, and Operational Controls

5.1 Physical Security: The Root CA private key is stored on an offline device, kept in a physically secure location with limited access.

5.2 Key Management:

• Root CA keys are generated on offline hardware.
• Sub-CA keys are generated on secure hardware security modules (HSM) or equivalent secure environments.

6. Technical Security Controls

All Sub-CAs issued by the HiLabs Root CA are constrained by the X.509 Name Constraints extension to ensure they can only issue certificates for authorized domains.