Technical constraints and policies in CertCentral

Certificate issuance and management follow technical and policy constraints including industry standards and browser requirements, Certificate Authority (CA) policies, and cryptographic and protocol requirements.

These constraints apply regardless of workflow or certificate type.

Certificates are issued for domains and names that meet specific technical and policy requirements.

Common constraints include valid domain name formats, restrictions on wildcard usage, and limitations on internal or non-public domain names.

Domain constraints affect certificate eligibility and validation methods.

Certificates must comply with supported cryptographic standards including approved key algorithms, key sizes, and signature algorithms. Cryptographic requirements vary by certificate type and evolve over time to reflect CA/Browser Forum standards.

Code signing private keys must be stored on hardware certified to FIPS 140-2 Level 2, Common Criteria EAL 4+, or equivalent. Private key export from certified devices is not permitted. The minimum key size for code signing certificates is RSA 3072-bit or ECC P-256-bit.

Certain certificate types are subject to additional compliance or regulatory requirements including industry or regional regulations, government or qualified trust frameworks, and audit or reporting obligations.

Compliance requirements influence certificate selection and validation effort.