Control: The organisation issues public key certificates under an [Assignment: organisation-defined certificate policy] or obtains public key certificates from an approved service provider.
Public Key Infrastructure Certificates Supplemental Guidance:
For all certificates, organisations manage information system trust stores to ensure only approved trust anchors are in the trust stores. This control addresses both certificates with visibility external to organisational information systems and certificates related to the internal operations of systems, for example, application-specific time services.
Related control: SC-12.