Certificate Practice/Certificate Practice Statement (CP/CPS)
1 Introduction
The purpose of the Novo Nordisk Certification Practice/Certification
Practice Statement (CP/CPS) is to outline the principles and practices related
to certifications in Novo Nordisk. This CP/CPS applies to all entities
participating in or using Novo Nordisk certificate services. NNIT A/S
established the Novo Nordisk Root Certification Authority (“Novo Nordisk Root
CA”) and the Novo Nordisk PKI in support of the generation, issuance,
distribution, revocation, administration, and management of public/private
cryptographic keys that are contained in CA-signed X.509 Certificates. The Novo
Nordisk PKI is intended to support internal and external Novo Nordisk
cryptographic requirements, where authentication of an organization or
individual presenting a digitally signed or encrypted object to a Relying Party
is of benefit to participants in the Novo Nordisk PKI. This CP/CPS describes
the practices used to comply within the PKI for Novo Nordisk.
2 GENERAL BUSINESS PRACTICES
2.1 Identification
The practices set forth in this CPS applies
exclusively to the Novo Nordisk PKI Solution. This document assumes the reader
is familiar with the general concepts of digital signatures, certificates, and
public key infrastructure (PKI). If the reader is new to public key
infrastructure concepts, the reader may choose to consult the different
institutions to gather freely available for downloads, such as an overview of
PKI, orientation on key concepts such as digital signatures, asymmetric key
pairs, Certification Authorities, registration authorities, policy and practice
statements, and business issues and considerations. For the purposes of this
CP/CPS, the term Novo Nordisk PKI refers collectively to Novo Nordisk PKI
service and end entities. Novo Nordisk PKI service consist of The Novo Nordisk
Root Certificate Authority 01 G1 ("Novo Nordisk Root CA 01 G1") and
their related management teams that generate, issue, distribute, revoke and
manage cryptographic keys and Certificates. The Novo Nordisk Authentication
Certificate Authority ("Novo Nordisk Issuing CA 01 G1") The Novo Nordisk
Signature Certificate Authority ("Novo Nordisk Issuing CA 02 G1),"
The Novo Nordisk MDM CA 03 G1 (“Novo Nordisk Issuing CA 03 G1”) The
Novo Nordisk AWS solution ("Novo Nordisk Issuing CA 04 G1").
The
Novo Nordisk Root CA administers the signing, issuance, and revocation of Certificates
used to establish and authenticate a Novo Nordisk Subordinate CA. The Root CA,
is also used for signing its Certificate Revocation Lists (“CRL”)
The contact information for this CP/CPS is: NNIT A/S
Østmarken 3A 2860 Søborg Denmark. NNITCAAdministrators@nnit.com
NNIT reserves the right to revoke any certificates,
without notice, if it believes the Subscriber’s private key has been
compromised, or upon request from the Subscriber.
The certificate revocation process for Novo Nordisk
Certificates will commence upon receipt of a valid request from Novo Nordisk
responsible or NNIT Service line responsible for the certificate. Once a
certificate has been revoked, its revocation status cannot be modified. After
revocation, a new certificate can be requested according the initial issuance
process. The Root-CA's revocation process supports the secure and authenticated
revocation of one or more Certificates and provides a means of communication of
such revocation through. Publication of a CRL updated within 8 hours of
authorization of revocation. In addition, revoked Certificates are removed from
the CRL after the Certificate has expired.
Who Can Request Revocation: Any appropriately authorized party, such as a
recognized representative of a subscriber or cross-signed partner, may request
revocation of a certificate. NNIT may revoke a certificate without receiving a
request and without reason. Third parties may request certificate revocation
for problems related to fraud, misuse, or compromise. Certificate revocation
requests must identify the entity requesting revocation and specify the reason
for revocation.
NNIT Processes a revocation request as follows:
1. NNIT logs the identity of entity making the request or problem report and
the reason for requesting revocation. NNIT may also include its own reasons for
revocation in the log.
2. NNIT may request confirmation of the revocation from a known administrator,
where applicable, via out-of-band communication (e.g., telephone, fax, etc.).
3. If the request is authenticated as originating from the Subscriber, NNIT
revokes the certificate.
4. For requests from third parties, NNIT personnel begin investigating the
request after receipt and decide whether revocation is appropriate based on the
following criteria:
a. The nature of the alleged
problem,
b. The number of reports received about a particular certificate or website,
c. The identity of the complainants (for example, complaints from a law
enforcement official that a web site is engaged in illegal activities have more
weight than a complaint from a consumer alleging they never received the goods
they ordered), and
d. Relevant legislation.
5. If NNIT determines that revocation is appropriate,
NNIT personnel revoke the certificate and update the CRL.
The latest version of this CP/CPS can be found at:
pki.novonordisk.com/cps.html
2.6 Compliance Audit
Requirements
The Novo Nordisk CA’s adopt wholly all policies under
this sectioning CP/CPS
2.7 Conditions for
Applicability
This section sets forth practices related to the use
of the Novo Nordisk Root and sub-CA’s.
2.7.1
Permitted uses
The Novo Nordisk Root CA and Sub-CA’s will create
keys, manage keys, issue Certificates, manage key life cycles, manage
certificate life cycles, operate a private repository, and perform other
functions to support distribution for the following types of certificates this
applies to the subordinate certificate authorities:
4.1.1 Certificate Authority ("Novo Nordisk Issuing CA
01 G1") is Authentication.
Usage on Novo Nordisk Signature Certificate Authority ("Novo Nordisk
Issuing CA 02 G1)," is Signature. §9.1
Usage on Novo Nordisk MDM CA 03 G1 (“Novo Nordisk Issuing CA 03 G1”) is MDM.
Usage on Novo Nordisk AWS solution ("Novo Nordisk
Issuing CA 04 G1") is programmatically using an API using modern
authentication.
2.8 Limitations on use
The Novo Nordisk Root Certificate Authority 01 G1
("Novo Nordisk Root CA 01 G1") can only and are only allowed to issue
Sub-CA’s (subordinate Certificate authorities) Novo Nordisk issuing-CAs will
not allow its Certificates to be used to create a Certification Authority or to
allow its private key to sign a Certificate issued by another Certification
Authority. Except for internal-use Certificates, any Certificates issued from
the Novo Nordisk issuing-CAs shall not be used for any purpose that is not
identified in this CPS §2.7.1 as a permitted use.
2.8.1
Issuance controls
Issuance controls are configured and controlled on the
subordinate Certificate Authority’s.
When maintenance is required on the Novo Nordisk Root
Certificate Authority 01 G1 ("Novo Nordisk Root CA 01 G1") it is
required to use tamper-evident containers/packaging for storing PKI artifacts.
A Root CA inventory list is also mandatory to fill out when accessing the Root
PKI artifacts.
The required information includes:
* Date (MM-DD-YYYY)
* Bag no. (Number from the tamper-evident bag)
* Initials (Of the ACS/OCS responsible)
* Verified (That processes and procedures are done accordantly Y/N)
* Signatures (Of the ACS/OCS responsible)
* Description (Bag inventory defined)
Accordance to procedures request can be made for
issuing of a new Subordinate CA. Request is initiated by Novo Nordisk to NNIT
or by NNIT to Novo Nordisk. When request is received from Novo Nordisk or by
NNIT to Novo Nordisk a CA Key ceremony can by initiated. NNIT can facilitate
and prepare for the Key ceremony if needed.
Accordance
to procedures request can be made for Renewal of existing Root CA Certificate.
Request is initiated by Novo Nordisk to NNIT or by NNIT to Novo Nordisk.
Accordance to procedures request can be made for
Renewal of existing Issuing CA Certificate. Request is initiated by Novo
Nordisk to NNIT or by NNIT to Novo Nordisk.
Accordance to procedures CSR (certificate signing
request) can be made. Request is initiated by Novo Nordisk to NNIT or by NNIT
to Novo Nordisk.
According
to procedures request can be made for certificate revocation for each
certificate type and from each certification authority. Request
is initiated by Novo Nordisk to NNIT or by NNIT to Novo Nordisk.
According
to procedures certificate approval requests can be made for each certificate
type. Request is initiated by Novo Nordisk or NNIT.
According
to procedures Smart Card request can be made. Request
is initiated by Novo Nordisk or NNIT.
Manual requested certificates will be approved
according to approval workflow with Certificate manager approval, code signing
certificate etc.
The NNIT Certificate Lifecycle Management Portal is
used in relation to Certificate Lifecycle Management - both externally issued
(Symantec/Verisign, Global Sign, etc.) as well as internally issued. All
certificates which are issued manually and ordered directly through CLM (or
indirectly through Remedy service requests) are added to the CLM Portal for
monitoring. Also, the CLM Portal monitors PKI health (CRLs) and CA / ADCS
configuration – including Certificate Templates. Monitoring CA / ADCS configuration
and Certificate Templates requires running NNIT Certificate Discovery on each
CA regularly to ensure that changes / additions are picked up. NNIT Certificate
Discovery can be done by request Ad-Hoc.
The Portal also provides guidance, tools, monitoring and reports and acts as
the NNIT Registration Authority. CRLs are monitored for health through NNIT
CLM.
According
to procedures key recovery requests can be made. Request
is initiated by Novo Nordisk to NNIT or by NNIT to Novo Nordisk.
9.1
Digital Signature
Data in an
electronic form used to authenticate other electronic data that the digital
signature is attached or logically associated with. The Digital Signature certificate
is strictly personal and sharing of the private key is not permitted.
Subscribers are only allowed to use the digital signature certificates for the
intended purpose of signing document
Certificate Practice/Certificate Practice Statement (CP/CPS)