WIXLIB

Chapter 1. IntroductionCisco Systems has implemented a Root Certificate Authority (CA) to provide a trust anchor for cryptographic communicationsusing X.509 certificates. The Root CA consists of systems, products and services that both protect the Root CA’s private key,and manage the subordinate CA X.509 certificates (sub-CA certificates) issued from the Root CA.The purpose of this document is to describe the framework for the use (issuance, renewal, revocation, and policies) of theRoot Certificate Authority 2048 within Cisco Systems Inc., and with external entities.1.1. BackgroundA public-key certificate binds a public-key value to a set of information that identifies the entity associated with use of thecorresponding private key (this entity is known as the "subject" of the certificate). A certificate is used by a "certificate user"or "benefiting party" that needs to utilize the public key distributed via that certificate (a certificate user is typically an entitythat is verifying a digital signature created by the certificate’s subject). The degree to which a certificate user can trust thebinding embodied in a certificate depends on several factors. These factors include the practices followed by the CertificationAuthority (CA) in authenticating the subject; the CA’s operating policy, procedures, and security controls; the subject’sobligations (for example, in protecting the private key); and the stated undertakings and legal obligations of the CA (forexample, warranties and limitations on liability).1.1.1. PKI HierarchyThe Cisco Root CA 2048 is a self-signed Root CA created in a secure key generation process by multiple agents of CiscoSystems, Inc.The Cisco Root CA 2048 will only issue subordinate CA certificates, according to the policies stated in this document.The Cisco Root CA 2048 is operated in an offline (non-networked) mode and is physically secured separately from the restof the Cisco Systems’ computing assets. The Cisco Corporate Information Security group is responsible for the physicalaccess controls protecting the offline Root CA.Being a self-signed root, the Cisco Root CA 2048 hierarchy consists of only one certificate - the Cisco Root CA 2048 (CRCA2048), which is owned and operated by Cisco Systems, Inc.Figure 1. The CRCA-2048 Hierarchy1.2. Policy IdentificationThe assertion of a Certificate Policies Object Identifier (CP OID) within the CertificatePolicies X.509 v3 extension will only becarried out by subordinate CAs which issue end-entity certificates. Therefore, there is no CP extension present in the CiscoRoot CA 2048 certificate and the assignment of a CP OID is not within the scope of this document.1.2.1. Certificate TypesThe Cisco Root CA 2048 issues only subordinate CA certificates. No end-entity certificates will be issued from the Cisco4Cisco Root CA 2048 Certificate Policy

Root CA 2048. The sub-CA certificates issued by the Cisco Root CA 2048 will include the CP OID(s) assigned to theCertificate Policy of the particular type of end-entity certificate issued by the sub-CA.With respect to any EV certificates that are issued by a sub-CA, both the sub-CA and the Cisco Root CA 2048 will conformto the current version of the CA/Browser Forum Guidelines for Issuance and Management of Extended Validation Certificatespublished at www.cabforum.org. In the event of any inconsistency between this document and those Guidelines, thoseGuidelines take precedence over this document.1.2.1.1. Certificate ProfileThe Cisco Root CA 2048 certificate profile is obtainable by downloading the actual Root CA certificate itself fromwww.cisco.com/security/pki/certs/crca2048.cer or through correspondence to the parties listed in section 1.4.1.3. Community & Applicability1.3.1. Certification Authorities (CAs)This Policy is binding on the offline root CA “Cisco Root CA 2048”. Specific practices and procedures by which the Root CAimplements the requirements of this Policy shall be set forth by the CA in a certification practice statement ("CPS") or otherpublicly available document, or by contract with any Benefiting Party (see 1.3.5 below).1.3.1.1. CAs Authorized to Issue Certificates under this PolicyThe offline root CA “Cisco Root CA 2048”, owned by Cisco Systems, Inc. and operated by Cisco Systems CorporateInformation Security group, is the only CA authorized to issue certificates under this policy.1.3.2. Registration AuthoritiesSee Section 2.1.2.1.3.3. Validation ServicesSee Section 2.1.2.1.3.4. SubscribersThe Subscribers of the Cisco Root CA 2048 are limited to subordinate CAs only.1.3.5. Benefiting PartiesThis Policy is intended for the benefit of the following persons who may rely on certificates that reference this Policy("Benefiting Parties"): Cisco agencies and businesses that contractually agree to this Policy with the Corporate Information Security Departmentand/or with the CA Individuals that contractually agree to this Policy with the Corporate Information Security Department and/or with the CA Entities that have entered into a Certificate Trust Agreement with Cisco Systems wherein this Certificate Policy isspecifically referenced1.3.6. ApplicabilityCisco Root CA 2048 Certificate Policy5

1.3.6.1. Suitable ApplicationsSub-CA certificates issued under this policy may be used in any application which requires the assembly of a cryptographicchain up to the Cisco Root CA 2048 for signature verification, establishment of trust, and/or certificate validation purposes.1.4. Contact DetailsThis Policy is administered by the Corporate Information Security group of Cisco Systems, Inc.1.4.1. Changes to the Certificate Policy1.4.1.1. Procedure for ChangesChanges to this CP are made by the Cisco’s Policy Management Authority (PMA), which includes Cisco’s Corporate SecurityPrograms Office and separately reviewed by Cisco’s Legal department. Changes will be in the form of a document updatewith changes reflected in the version section. Changed versions will be linked to by the main Cisco PKI Policies page locatedat: .1.2. Change NotificationBenefiting Parties are defined here as entities who have entered into a Certificate Trust Agreement with Cisco Systemswherein this Certificate Policy is specifically referenced. Cisco’s PMA will notify all Benefiting Parties of any changes to the CPor CPS as defined in the specific Certificate Trust Agreement between Cisco Systems and the Benefiting Party. Entities whoare not Benefiting Parties will not be notified of changes but may learn of changes by viewing the current CP or CPSpublished to Cisco’s public repository.1.4.2. Contact InformationCorporate HeadquartersCisco Systems, Inc.170 West Tasman DriveSan Jose, CA 95134PKI Operations Manager:Cisco Systems Inc.7025 Kit Creek RoadP.O. Box 14987Research Triangle Park, NC 27709-4987Attn: Brian StoneE-mail address: ciscopki-public@external.cisco.comCA Policy Authority:6Cisco Root CA 2048 Certificate Policy

Cisco Systems Inc.7025 Kit Creek RoadP.O. Box 14987Research Triangle Park, NC 27709-4987Attn: J.P. HamiltonE-mail address: ciscopki-public@external.cisco.comCisco Root CA 2048 Certificate Policy7

Chapter 2. General Provisions2.1. Obligations2.1.1. CA ObligationsThe root CA “Cisco Root CA 2048” is responsible for all aspects of the issuance and management of its issued certificates,including control over the application/enrollment process, the identification and authentication process, the certificatemanufacturing process, publication of the certificate (if required), suspension and/or revocation of the certificate, renewal ofthe certificate, validation services, and for ensuring that all aspects of the CA Services and CA operations and infrastructurerelated to certificates issued under this Policy are performed in accordance with the requirements and representations of thisPolicy.2.1.1.1. Representations by the CABy issuing a certificate that references this Policy, the Issuing CA certifies to Benefiting Parties who reasonably and in goodfaith rely on the information contained in the certificate during its operational period and in accordance with this Policy, that: The CA has issued, and will manage, the certificate in accordance with this Policy The CA has complied with the requirements of this Policy and its applicable CPS when authenticating the subscriber andissuing the certificate There are no misrepresentations of fact in the certificate known to the CA, and the CA has taken reasonable steps toverify additional information in the certificate unless otherwise noted in its CPS Information provided by the subscriber in the certificate application for inclusion in the certificate has been accuratelytranscribed to the certificate The certificate meets all material requirements of this Policy and was processed according to the CA’s CPS2.1.1.2. Benefiting Party WarrantiesUnless an explicit contractual agreement exists between Cisco Systems and a Benefiting Party, Cisco Systems is notrepresenting any warranty to a Benefiting Party that exercises reliance on certificates issued by the Cisco Root CA 2048. Insuch instances where an explicit and separate Certificate Warranty agreement exists between the Benefiting Party and CiscoSystems, Cisco Systems may warrant that: The Issuing CA has issued and managed the Certificate in accordance with this Policy; The Issuing CA complied with the requirements of this Policy and any applicable CPS when authenticating requests forsubordinate CA certificates; There are no material misrepresentations of fact in the Certificate known to the Issuing CA, and the Issuing CA has takensteps as required under this Policy to verify the information contained in the Certificate; The Issuing CA has taken the steps required by this Policy to ensure that the Certificate Holder’s submitted informationhas been accurately transcribed to the Certificate; Information provided by the Issuing CA concerning the current validity of the Certificate is accurate and that validity hasnot been diminished by the Issuing CA’s failure to promptly revoke the Certificate in accordance with this CertificatePolicy; and The issued Certificate meets all material requirements of this Policy and any applicable CPS.These warranties may be applied to any Benefiting Party who: (i) enters into a separately executed warranty agreement withCisco Systems; (ii) relies on the issued Certificate in an electronic transaction in which the issued Certificate played a materialrole in verifying the identity of one or more persons or devices; (iii) exercises Reasonable Reliance on that Certificate; and (iv)follows all procedures required by this Policy and by the applicable Benefiting Party Agreement for verifying the status of the8Cisco Root CA 2048 Certificate Policy

issued Certificate. These warranties are made to the Benefiting Party as of the time the CA’s certificate validation mechanismis utilized to determine Certificate validity, and only if the Certificate relied upon is valid and not revoked at that time.2.1.1.3. Warranty LimitationsThe warranties offered to both Certificate Holders and Benefiting Parties will be subject to the limitations set forth in thisPolicy. Cisco Systems may provide further limitations and exclusions on these warranties as deemed appropriate, relating to:(i) failure to comply with the provisions of this Policy or of any agreement with the Issuing CA; (ii) other actions giving rise toany loss; (iii) events beyond the reasonable control of the CA; and (iv) time limitations for the filing of claims. However, suchlimitations and exclusions may not, in any event, be less than those provided for in 2.1.1.2.2.1.1.4. Time between Certificate Request and IssuanceThere is no stipulation for the period between the receipt of an application for a Certificate and the issuance of a Certificate,but the Issuing CA will make reasonable efforts to ensure prompt issuance.2.1.1.5. Certificate Revocation and RenewalThe Issuing CA must ensure that any procedures for the expiration, revocation and renewal of an issued Certificate willconform to the relevant provisions of this Policy and will be expressly stated in a Certificate Agreement and any otherapplicable document outlining the terms and conditions of certificate use, including ensuring that: (i) Key ChangeoverProcedures are in accordance with this Policy; (ii) notice of revocation of a Certificate will be posted to an online certificatestatus database and/or a certificate revocation list (CRL), as applicable, within the time limits stated in this Policy; and (iii) theaddress of the online certificate status database and/or CRL is defined in the issued certificate.2.1.1.6. End Entity AgreementsThe Issuing CA will enter into agreements with End Entities governing the provision of Certificate and Repository services anddelineating the parties’ respective rights and obligations.The Issuing CA will ensure that any Certificate Agreements incorporate by reference the provisions of this Policy regarding theIssuing CA’s and the Certificate Holder’s rights and obligations. In the alternative, the Issuing CA may ensure that anyCertificate Agreements, by their terms, provide the respective rights and obligations of the Issuing CA and the CertificateHolders as set forth in this Policy, including without limitation the parties’ rights and responsibilities concerning the following: Procedures, rights and responsibilities governing (i) application for an issued Certificate, (ii) the enrollment process, (iii)Certificate issuance, and (iv) Certificate Acceptance; The Certificate Holder’s duties to provide accurate information during the application process; The Certificate Holder’s duties with respect to generating and protecting its Keys; Procedures, rights and responsibilities with respect to Identification and Authentication (I&A); Any restrictions on the use of issued Certificates and the corresponding Keys; Procedures, rights and responsibilities governing (a) notification of changes in Certificate information, and (b) revocationof issued Certificates; Procedures, rights and responsibilities governing renewal of issued Certificates; Any obligation of the Certificate Holder to indemnify any other Participant; Provisions regarding fees; The rights and responsibilities of any RA that is party to the agreement; Any warranties made by the Issuing CA and any limitations on warranties or liability of the Issuing CA and/or an RA; Provisions regarding the protection of privacy and confidential information; and Provisions regarding Alternative Dispute Resolution.Cisco Root CA 2048 Certificate Policy9

Nothing in any Certificate Agreement may waive or otherwise lessen the obligations of the Certificate Holder as provided inSection 2.1.4 of this Policy.The Issuing CA will ensure that any Benefiting Party Agreement incorporate by reference the provisions of this Policyregarding the Issuing CA’s and the Benefiting Party’s rights and obligations. Nothing in a Benefiting Party Agreement maywaive or otherwise lessen the obligations of the Benefiting Party as provided in this Policy.2.1.1.7. Ensuring ComplianceThe Issuing CA must ensure that: (i) it only accepts information from entities that understand and are obligated to comply withthis Policy; (ii) it complies with the provisions of this Policy in its certification and Repository services, issuance and revocationof Certificates and issuance of CRLs; (iii) it makes reasonable efforts to ensure adherence to this Policy with regard to anyCertificates issued under it; and (iv) any identification and authentication procedures are implemented as set forth in Part 3.2.1.2. Registration Authority (RA) ObligationsThe operators of the Cisco Root CA 2048 shall be responsible for performing all identification and authentication functionsand all certificate manufacturing and issuing functions. The Cisco Root CA 2048 may NOT delegate performance of theseobligations to a registration authority (RA). The CA must remain primarily responsible for the performance of all CA services ina manner consistent with the requirements of this Policy. The ability to delegate or subcontract these obligations is notpermitted.2.1.3. Certificate Status Validation ObligationsThe CA shall be responsible for providing a means by which certificate status (valid or revoked) can be determined by aBenefiting Party. However, the CA may [delegate/subcontract] performance of this obligation to an identified validationservices provider ("VSP"), provided that the CA remains primarily responsible for performance of those services by such thirdparty in a manner consistent with the requirements of this Policy.2.1.4. Subscriber ObligationsIn all cases, the subscriber is obligated to: Generate a key pair using a trustworthy system, and take reasonable precautions to prevent any loss, disclosure, orunauthorized use of the private key Warrant that all information and representations made by the subscriber that are included in the certificate are true Use the certificate exclusively for authorized and legal purposes, consistent with this Policy Instruct the CA to revoke the certificate promptly upon any actual or suspected loss, disclosure, or other compromise ofthe subscriber’s private keyA Subscriber who is found to have acted in a manner counter to these obligations will have its certificate revoked, and willforfeit all claims it may have against the Issuing CA.2.1.5. Benefiting Party ObligationsA Benefiting Party has a right to rely on a certificate that references this Policy only if the certificate was used and relied uponfor lawful purposes and under circumstances where: The Benefiting Party entered into a Benefiting Party Agreement which incorporates by reference the provisions of thisPolicy regarding the Issuing CA’s and the Benefiting Party’s rights and obligations. The reliance was reasonable and in good faith in light of all the circumstances known to the benefiting party at the time ofreliance10Cisco Root CA 2048 Certificate Policy

The purpose for which the certificate was used was appropriate under this Policy The benefiting party checked the status of the certificate prior to relianceA Benefiting Party found to have acted in a manner counter to these obligations would forfeit all claims he, she or it may haveagainst the Issuing CA.2.2. LiabilityThe Issuing CA assumes limited liability only to Benefiting Parties who have entered into a Benefiting Party Agreement. TheIssuing CA may be responsible for direct damages suffered by benefiting parties who have executed a Benefiting PartyAgreement that are caused by the failure of the Issuing CA to comply with the terms of this Policy (except when waived bycontract), and sustained by such benefiting parties as a result of reliance on a certificate in accordance with this Policy, butonly to the extent that the damages result from the use of certifi

or "benefiting party" that needs to utilize the public key distributed via that certificate (a certificate user is typically an entity that is verifying a digital signature created by the certificate's subject). The degree to which a certificate user can trust the binding embodied in a certificate depends on several factors.