Operating model and RACI for issuance
Trust Architecture Playbook: Issuance pillar
CA infrastructure is rarely owned by a single team. Root provisioning, issuing CA configuration, connector setup, and template governance are PKI team responsibilities. Certificate consumption and enrollment belong to platform and application teams. Policy constraints and hierarchy approvals sit with security architecture. When these boundaries are unclear, CAs get provisioned without security review, certificates proliferate without owners, and connectors get added without governance controls. The operating model below assigns those boundaries explicitly.
Operating model
The PKI or identity platform team owns the CA infrastructure and Trust Lifecycle Manager issuance configuration. This team is responsible for:
Owning and maintaining PKI policy documentation (CP/CPS, key management policy, revocation policy).
Designing and maintaining the CA hierarchy (roots and intermediates).
Provisioning and operating DigiCert Private CA (DigiCert-hosted or self-hosted).
Configuring and maintaining CA connectors (CertCentral, third-party CAs).
Managing HSMs, key ceremonies, and key management procedures.
Maintaining revocation infrastructure (CRL, OCSP).
Managing CA certificate validity and recertification schedules for issuing CAs.
Distributing trust anchors to managed endpoints.
Platform and application teams consume the issuance capabilities the PKI team provides. Their responsibilities include:
Configuring and maintaining enrollment integrations for their platform or application.
Requesting certificates through the approved enrollment methods.
Reporting new certificate use cases or requirements to the PKI team.
Security architecture and governance stakeholders define the policy constraints within which the PKI team operates. Their responsibilities include:
Approving CA hierarchy designs and cryptographic standards.
Defining certificate validity, key size, and algorithm requirements.
Establishing naming and domain authorization policies.
Reviewing and approving new CA connectors and third-party CA relationships.
Responsible, Accountable, Consulted, Informed (RACI)
Activity | PKI team | Platform / app teams | Security architecture |
|---|---|---|---|
CA hierarchy design and approval | R | I | A |
Root CA provisioning and key ceremony | R/A | I | C |
Issuing CA creation and configuration | R/A | C | C |
CA connector setup (CertCentral, third-party) | R/A | I | C |
Trust anchor distribution | R/A | C | C |
Revocation infrastructure maintenance | R/A | I | C |