This card is a continuation of CMP-942, covering external certificates. Please see CMP-942 for the full discussion. SC-12 as a whole is an organizational control (see e.g. this issue. However, we should still provide some guidance.

External certs are handled in card CMP-1042.

Internal certs are issued by a self-signed CA. At the very minimum, we should polish our response why is it OK.

We also used to have a card that tracked creating a map of certs and CAs, perhaps we should resurrect it.

Acceptance Criteria

• Include verbiage in controls structe in CaC