Certification Practice Statement (CPS)
Last updated on August 18, 2025
This Certification Practice Statement (“CPS”) describes the specific practices, controls, and procedures employed by Tabiri Trust Services (“Tabiri Trust”, “we”, “our”, or “us”) in issuing and managing digital certificates. This CPS supports and implements the Certificate Policy (CP) and provides detailed guidance for subscribers, relying parties, and auditors.
1. Introduction
Tabiri Trust operates as a Certificate Authority (CA) serving African organizations. This CPS outlines the technical, operational, and security measures used to ensure the integrity and reliability of our public key infrastructure (PKI) services.
2. Certificate Types
Tabiri Trust issues the following certificates:
- Organizational Validation (OV) Certificates
- Secure Server and API Certificates
- Device and IoT Certificates
- Code Signing Certificates
- Email/Document Signing Certificates
3. Identification and Authentication
We verify certificate applicants through business registry documents, domain control validation, government-issued identification, and industry-accepted methods. All requests are authenticated by duly authorized representatives of the subscriber organization.
4. Certificate Lifecycle Operations
The lifecycle includes:
- Submission of certificate requests with accurate subscriber data
- Validation of organizational identity and domain ownership
- Secure issuance and delivery of certificates
- Periodic renewal requiring revalidation
- Revocation and publication through CRLs and OCSP
5. Private Key Management
Subscribers are responsible for generating and securely storing their private keys. Tabiri Trust may provide Hardware Security Module (HSM) integration for enterprise clients requiring enhanced protection.
6. Security Controls
Tabiri Trust maintains secure facilities, redundant infrastructure, multi-factor authentication for CA operations, and periodic internal and external audits. All signing keys are stored in FIPS 140-2 Level 3 or equivalent HSMs.
7. Subscriber Obligations
Subscribers must:
- Protect their private keys against loss or misuse
- Provide accurate and complete information during enrollment
- Request certificate revocation if compromise is suspected
- Use certificates only for authorized purposes
8. Relying Party Responsibilities
Relying parties must verify certificate validity through OCSP or CRLs prior to acceptance. Reliance on expired, revoked, or invalid certificates is done at their own risk.
9. Revocation
Certificates may be revoked due to key compromise, subscriber request, mis-issuance, or CA key compromise. Revocation data is made available in near real-time through OCSP and regularly updated CRLs.
10. Compliance and Audit
Tabiri Trust undergoes independent audits to verify compliance with industry standards (e.g., WebTrust for CAs, CA/Browser Forum guidelines). Internal security audits are performed quarterly.
11. Liability and Disclaimers
Tabiri Trust’s liability is limited to direct damages caused by proven negligence, up to a maximum specified in subscriber agreements. Indirect, incidental, or consequential damages are excluded.
12. Governing Law
This CPS is governed by the laws of Kenya. Any disputes shall be resolved under the jurisdiction of the High Court of Kenya, Nairobi.
13. Updates
This CPS may be updated periodically. The latest version will always be published on the Tabiri Trust Services website. Continued use of certificates after changes implies acceptance.
Contact Information
For questions regarding this CPS, contact: