WIXLIB

123456Siemens AGProduct PKI Certificate Management Service –Certificate Policy for Siemens Product PKIInfrastructure Certificates

7Document HistoryVersionDateAuthorChange Comment1.026.01.2022Michael Munzert,Antonio Vaira;T CSTFirst released version891011This document will be reviewed every year or in the event of an important ad-hoc change accordingto the Information Security update process for documents. Each new version will be approved by therespective management level before being released.12This document is published under www.siemens.com/pki.13Scope and Applicability14151617This document constitutes the Certificate Policy (CP) for the PKI service providing infrastructurecertificates to Siemens Product PKI Tenant. The Product PKI is responsible for the operation of the RootCAs as well as for the Issuing CAs. Together with the Central CP, this document discloses to interestedparties the business policies and practices under which the Product PKI operates.181920The Central PMA ensures that the certification practices established to meet the applicablerequirements specified in the present document are properly implemented in accordance withSiemens' Information Security Policy.21Document Status22This document has been classified as “Unrestricted“.NameDepartmentDateAuthorVarious authors, detailed information see document history.Checked byStenger, MeikoSiemens LCMay, 2020Kuechler, MarkusSiemens ITFeb, 2022Dr.Gaus, NorbertHead of Siemens T RPD1Jan, 2022Authorization23 2021 Siemens AGUnrestrictedPage 2 40

24Content25Document History . 226Scope and Applicability . Error! Bookmark not defined.27Document Status . Error! Bookmark not defined.28Content . 329130Introduction . 121.131Overview. 121.1.1PKI hierarchy. 13321.2Document Name and Identification . 15331.3PKI Participants . 15341.3.1Certification Authorities . 15351.3.2Registration Authorities . 15361.3.3Subscribers . 15371.3.4Relying Parties . 15381.3.5Other Participants . 15391.4Certificate Usage . 15401.4.1Appropriate Certificate Usage . 15411.4.2Prohibited Certificate Usage . 15421.5Policy Administration . 15431.5.1Organization Administering the Document. 15441.5.2Contact Person . 15451.5.3Person Determining CP and CPS Suitability for the Policy . 16461.5.4CPS Approval Procedures . 16471.6Definitions and Acronyms . 17481.6.1Definitions . 17491.6.2Acronyms . 19502Publication and Repository Responsibilities . 20512.1Repositories . 20522.2Publication of Certification Information. 20532.3Time or Frequency of Publication . 20542.4Access Controls on Repositories. 205556573Identification and Authentication . 213.1Naming . 213.1.1Types of Names . 21 2021 Siemens AGUnrestrictedPage 3 40

583.1.2Need of Names to be Meaningful . 21593.1.3Anonymity or Pseudonymity of Subscribers . 21603.1.4Rules for Interpreting Various Name Forms. 21613.1.5Uniqueness of Names . 21623.1.6Recognition, Authentication, and Roles of Trademarks . 21633.2Initial Identity Validation . 21643.2.1Method to Prove Possession of Private Key . 21653.2.2Authentication of Organization Identity . 21663.2.3Authentication of Individual Identity . 21673.2.4Non-verified Subscriber Information . 21683.2.5Validation of Authority . 22693.2.6Criteria for Interoperation . 22703.3Identification and Authentication for Re-key Requests . 22713.3.1Identification and Authentication for Routine Re-Key . 22723.3.2Identification and Authentication for Re-Key After Revocation . 227374753.44Identification and Authentication for Revocation Requests . 22Certificate Lifecycle Operational Requirements . 234.1Certificate Application . 23764.1.1Who can submit a certificate application? . 23774.1.2Enrollment Process and Responsibilities . 23784.2Certificate Application Processing . 23794.2.1Performing identification and authentication functions . 23804.2.2Approval or Rejection of Certificate Applications . 23814.2.3Time to Process Certificate Applications . 23824.3Certificate Issuance . 23834.3.1CA Actions during Certificate Issuance . 23844.3.2Notification to Subscriber by the CA of Issuance of Certificate . 23854.4Certificate Acceptance . 23864.4.1Conduct constituting certificate acceptance . 23874.4.2Publication of the certificate by the CA. 23884.4.3Notification of Certificate issuance by the CA to other entities. 24894.5Key Pair and Certificate Usage . 24904.5.1Subject Private Key and Certificate Usage . 24914.5.2Relying Party Public Key and Certificate Usage . 24 2021 Siemens AGUnrestrictedPage 4 40

924.6Certificate Renewal . 24934.6.1Circumstance for Certificate Renewal . 24944.6.2Who may request renewal? . 24954.6.3Processing Certificate Renewal Request . 24964.6.4Notification of new Certificate Issuance to Subscriber . 24974.6.5Conduct Constituting Acceptance of a Renewal Certificate. 24984.6.6Publication of the Renewal Certificate by the CA . 24994.6.7Notification of Certificate Issuance by the CA to other Entities. 241004.7Certificate Re-key . 241014.7.1Circumstances for Certificate Re-key . 241024.7.2Who may request certification of a new Public Key?. 241034.7.3Processing Certificate Re-keying Requests. 251044.7.4Notification of new Certificate Issuance to Subscriber . 251054.7.5Conduct Constituting Acceptance of a Re-keyed Certificate . 251064.7.6Publication of the Re-keyed Certificate by the CA . 251074.7.7Notification of Certificate Issuance by the CA to other Entities. 251084.8Certificate Modification. 251094.8.1Circumstance for Certificate Modification . 251104.8.2Who may request Certificate modification? . 251114.8.3Processing Certificate Modification Requests . 251124.8.4Notification of new Certificate Issuance to Subscriber . 251134.8.5Conduct Constituting Acceptance of Modified Certificate. 251144.8.6Publication of the Modified Certificate by the CA. 251154.8.7Notification of Certificate Issuance by the CA to Other Entities . 251164.9Certificate Revocation and Suspension . 251174.9.1Circumstances for Revocation . 251184.9.2Who can request revocation? . 251194.9.3Procedure for Revocation Request . 251204.9.4Revocation Request Grace Period . 261214.9.5Time within which CA must Process the Revocation Request . 261224.9.6Revocation Checking Requirement for Relying Parties . 261234.9.7CRL Issuance Frequency . 261244.9.8Maximum Latency for CRLs . 261254.9.9On-line Revocation/Status Checking Availability . 26 2021 Siemens AGUnrestrictedPage 5 40

1264.9.10On-line Revocation Checking Requirements . 261274.9.11Other Forms of Revocation Advertisements Available . 261284.9.12Special Requirements for Private Key Compromise . 261294.9.13Circumstances for Suspension. 261304.9.14Who can request suspension? . 261314.9.15Procedure for suspension request . 261324.9.16Limits on suspension period . 261334.10Certificate Status Services . 261344.10.1Operational Characteristics . 261354.10.2Service Availability . 261364.10.3Optional Features . 271374.11End of Subscription. 271384.12Key Escrow and Recovery . 271394.12.1Key Escrow and Recovery Policy and Practices . 271404.12.2Session Key Encapsulation and Recovery Policy and Practices . 271411425Management, Operational, and Physical Controls. 285.1Physical Security Controls. 281435.1.1Site Location and Construction . 281445.1.2Physical Access . 281455.1.3Power and Air Conditioning. 281465.1.4Water Exposure . 281475.1.5Fire Prevention and Protection . 281485.1.6Media Storage . 281495.1.7Waste Disposal . 281505.1.8Off-site Backup . 281515.2Procedural Controls . 281525.2.1Trusted Roles . 281535.2.2Numbers of Persons Required per Task . 281545.2.3Identification and Authentication for Each Role . 281555.2.4Roles Requiring Separation of Duties . 281565.3Personnel Controls . 281575.3.1Qualifications, Experience and Clearance Requirements . 281585.3.2Background Check Procedures . 281595.3.3Training Requirements . 29 2021 Siemens AGUnrestrictedPage 6 40

1605.3.4Retraining Frequency and Requirements . 291615.3.5Job Rotation Frequency and Sequence . 291625.3.6Sanctions for Unauthorized Actions . 291635.3.7Independent Contractor Requirements . 291645.3.8Documents Supplied to Personnel . 291655.4Audit Logging Procedures. 291665.4.1Types of Events Recorded . 291675.4.2Frequency of Processing Log . 291685.4.3Retention Period for Audit Log . 291695.4.4Protection of Audit Log. 291705.4.5Audit Log Backup Procedures . 291715.4.6Audit Collection System (Internal vs. External) . 291725.4.7Notification to Event-Causing Subject . 291735.4.8Vulnerability Assessments . 291745.5Records Archival . 291755.5.1Types of Records Archived . 291765.5.2Retention Period for Archived Audit Logging Information. 291775.5.3Protection of Archive . 291785.5.4Archive Backup Procedures . 301795.5.5Requirements for Time-Stamping of Record. 301805.5.6Archive Collection System (internal or external). 301815.5.7Procedures to Obtain and Verify Archived Information. 301825.6Key Changeover . 301835.7Compromise and Disaster Recovery . 301845.7.1Incident and Compromise Handling Procedures . 301855.7.2Corruption of Computing Resources, Software, and/or Data . 301865.7.3Entity Private Key Compromise Procedures . 301875.7.4Business Continuity Capabilities After a Disaster . 301881891905.86CA or RA Termination . 30Technical Security Controls . 316.1Key Pair Generation and Installation. 311916.1.1Key Pair Generation . 311926.1.2Private Key Delivery to Subscriber . 311936.1.3Public Key Delivery to Certificate Issuer . 31 2021 Siemens AGUnrestrictedPage 7 40

1946.1.4CA Public Key Delivery to Relying Parties . 311956.1.5Key Sizes . 311966.1.6Public Key Parameters Generation and Quality Checking. 311976.1.7Key Usage Purposes (as per X.509 v3 Key Usage Field) . 311986.2Private Key Protection and Cryptographic Module Engineering Controls . 311996.2.1Cryptographic Module Standards and Controls . 312006.2.2Private Key (n out of m) Multi-person Control . 312016.2.3Private Key Escrow . 312026.2.4Private Key Backup . 312036.2.5Private Key Archival . 312046.2.6Private Key Transfer into or from a Cryptographic Module . 312056.2.7Private Key Storage on Cryptographic Module . 312066.2.8Method of Activating Private Key. 322076.2.9Method of Deactivating Private Key. 322086.2.10Method of Destroying Private Key . 322096.2.11Cryptographic Module Rating . 322106.3Other Aspects of Key Pair Management . 322116.3.1Public key archival . 322126.3.2Certificate operational periods and key pair usage periods . 322136.4Activation Data . 322146.4.1Activation Data Generation and Installation . 322156.4.2Activation Data Protection . 322166.4.3Other Aspects of Activation Data . 322176.5Computer Security Controls . 322186.5.1Specific Computer Security Technical Requirements . 322196.5.2Computer Security Rating. 332206.6Life Cycle Security Controls . 332216.6.1System Development Controls . 332226.6.2Security Management Controls . 332236.6.3Life Cycle Security Controls . 332246.7Network Security Controls . 332256.8Time Stamp Process . 332262277Certificate, CRL, and OCSP Profiles . 347.1Certificate Profile. 34 2021 Siemens AGUnrestrictedPage 8 40

2287.1.1Version Number(s) . 342297.1.2Certificate Extensions . 342307.1.3Algorithm Object Identifiers . 342317.1.4Name Forms . 342327.1.5Name Constraints . 342337.1.6Certificate Policy Object Identifier . 342347.1.7Usage of Policy Constraints Extension. 342357.1.8Policy Qualifiers Syntax and Semantics . 342367.1.9Processing Semantics for the Critical Certificate Policies Extension . 342377.2CRL Profile . 342387.2.1Version number(s) . 342397.2.2CRL and CRL entry extensions . 342407.3OCSP Profile . 342417.3.1Version Number(s) . 342427.3.2OCPS Extension. 342438Compliance Audit and Other Assessment . 352448.1Frequency or Circumstances of Assessment . 352458.2Identity / Qualifications of Assessor. 352468.3Assessor’s Relationship to Assessed Entity . 352478.4Topics Covered by Assessment .

The Product PKI is responsible for the operation of the Root 16 CAs as well as for the Issuing CAs. Together with the Central CP, this document discloses to interested 17 parties the business policies and practices under which the Product PKI operates. . 183 5.7 Compromise and Disaster Recovery .