Department of State PKI Statement

The Department of State operates an unclassified PKI to support its mission.
The latest version of the Certificate Policy governing this PKI and a redacted copy of the Audit
Opinion Letter for the most recent compliance audit of this PKI are provided below:

DOS PKI X.509 CP v2.1.1 (20231102) Signed
DOS PKI FY2020-FY2022 Audit Letter (20230530)

Suspected private key compromise, certificate misuse, or other types of fraud, compromise,
misuse, inappropriate conduct, or any other matter related to the certificates issued by this PKI
should be reported to the Department of State PKI Operational Authority by emailing the report
to PKIProgramOffice@state.gov and ITServiceCenter@state.gov,
with the Subject: “External Report of Concerns Regarding Department of State PKI Certificates”.

CAs operating under this policy shall make public a description of how to obtain revocation information for the
certificates they publish, and an explanation of the consequences of using dated revocation information. This
information shall be given to subscribers during certificate request or issuance, and shall be readily available
to any potential relying party.

The CA shall provide Subscribers, Relying Parties, Application Software Suppliers, and other third parties with clear
instructions for reporting suspected Private Key Compromise, Certificate misuse, or other types of fraud, compromise,
misuse, inappropriate conduct, or any other matter related to Certificates. The CA shall publicly disclose the
instructions through a readily accessible online means.

Other CAs operating under this policy shall make available an annual PKI Compliance Audit Letter in their
organization’s public repository.

Other CAs operating under this policy shall make available a redacted CPS and annual PKI Compliance Audit Letter
in their organization’s public repository.