ABCDEFGHIJKLMNOPQRSTUVWXYZ
1
CCADB Self Assessment Instructions
2
Step 1: Make a copy of this Workbook.
3
Step 2: Complete the "Cover Sheet" tab
- Provide all requested data.
- A single Self-Assessment may cover multiple CAs operating under both the same CP and CPS(s), or combined CP/CPS.
- CAs not operated under the same CP and CPS(s) or combined CP/CPS must be covered in a separate Self-Assessment.
- Each Self-Assessment submission must enumerate all CAs listed in the CA owner's CCADB CA hierarchy. If you are submitting multiple Self-Assessments, designate which CAs included in your CCADB CA hierarchy are out of scope for this particular submission, and provide a link to the Self-Assessment where these CAs are in scope. If a CA will not be included within the scope of a Self-Assessment, provide justification (i.e., certificate expired or was revoked prior to the beginning of the most recent audit period).
- Add additional rows, as needed.
4
Step 3: Complete the "CCADB Policy v. X.X Self Assessment" tab.
- Review each row included in the sheet, representing the requirements defined in the CCADB Policy.
- For each requirement, submit an attestation that the CAs included within the scope of this Self-Assessment currently comply with and commit to ongoing compliance for as long as they are trusted by the applicable root stores by selecting the designated checkbox.
5
Step 4: Complete the "TLS BR v. X.X.X Self Assessment (excludes EVGs)" tab.
- Review each row included in the sheet, representing the requirements defined in the Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates
- For each requirement:

A) include the section of where the relevant requirement statement(s) are included in the corresponding CP or combined CP/CPS that adheres to the Baseline Requirements.
- if the corresponding requirement is not applicable, include a comment designating such and provide a justification.

B) include the section where the relevant practice statement(s) are included in the corresponding CPS or combined CP/CPS that satisfies the requirement defined in the CP (or Baseline Requirements, if a combined CP/CPS is in use).
- if the corresponding requirement is not applicable, include a comment designating such and provide a justification (for example "N/A: We do not support this domain validation method.")
6
Step 5: Complete the "NCSSRs v. X.X" tab.
- Review each row included in the sheet, representing the requirements defined in the CA/Browser Forum Network Security Requirements (NCSSRs).
- For each requirement, submit an attestation that the CAs included within the scope of this assessment currently comply with and commit to ongoing compliance for as long as they are trusted by the applicable root stores by selecting the designated checkbox.
7
Step 6: Complete the relevant Root Program-specific tabs, as described below.

- Google Chrome:
- New applicants must provide a completed Self-Assessment during the application process.
- CA owners with certificates included in the Chrome Root Store must submit a completed Self-Assessment annually. See the Chrome Root Program policy for more detail.

- Mozilla Firefox:
- New applicants must provide a completed Self-Assessment during the application process. See https://wiki.mozilla.org/CA/Compliance_Self-Assessment for more detail.
8
Step 7: Complete the "TLS EV VX.X.X Self Assessment" sheet (required only for EV-issuers, only).
- Review each row included in the sheet, representing the requirements defined in the CA/Browser Forum EV Guidelines (EVGs).
- For each requirement, submit an attestation that the CAs included within the scope of this assessment currently comply with and commit to ongoing compliance for as long as they are trusted by the applicable root stores by selecting the designated checkbox.
9
Reminders:
10
- Bookmark this page! Whenever you are preparing to complete a Self-Assessment using this template, make sure you are using the latest version.
- Contact support@ccadb.org with any general questions or concerns.
- For questions specific to a particular Root Program (i.e., Chrome or Mozilla), please contact them directly (i.e., chrome-root-program@google.com or certificates@mozilla.org)
11
General Recommendations:
12
- The absence of requirements defined in the Baseline Requirements is not a satisfactory response for not describing your organization's policies or practices for a particular topic area. In the absence of requirements defined in the Baseline Requirements, we recommend CAs provide descriptions as detailed in RFC 3647 or NISTIR 7924.
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100