Application for Subordinate Certification Authority

Organizations seeking to become an Electronic Certificate Issuance Service Provider, hereinafter referred to as a Subordinate Certification Authority (Subordinate CA), under the Thailand National Root Certification Authority (Thailand NRCA) must demonstrate organizational, technical, and operational readiness in compliance with internationally recognized standards.

In particular, applicants must comply with the WebTrust Principles and Criteria for Certification Authorities, which serve as the global benchmark for assessing the trustworthiness and security of public key infrastructure (PKI) service providers.

Prior to accreditation, applicants are required to successfully undergo an independent conformity assessment conducted by an accredited WebTrust Practitioner, in accordance with the applicable scope and criteria.

Required Application Documentation

1. Pre-Application Self-Assessment
2. Certificate Policy (CP)
3. Certification Practice Statement (CPS)

Eligibility Requirements

1. Must be a legal entity registered in Thailand
2. Must have paid-up registered capital of not less than THB 5 million
3. Must maintain Professional Indemnity Insurance with coverage of not less than THB 10 million
4. Company directors must be fit and proper persons and must not:
   • Have been declared bankrupt within the past two (2) years
   • Have been convicted by a final court judgment of offenses relating to forgery, fraud, or electronic transaction crimes
   • Have any actual or potential conflicts of interest, whether direct or indirect, that could compromise impartiality or integrity in decision-making

Subordinate CA Application Process

1. Submit an expression of interest via email to [email protected]
2. Complete and submit the Self-Assessment
3. Prepare and submit the Certificate Policy (CP) and Certification Practice Statement (CPS) for NRCA review
4. Complete the application and submit all supporting documents through the Electronic Certificate Application System : https://nrca.go.th/register

Preliminary Audit

NRCA will conduct a preliminary audit of the applicant’s operational readiness at the applicant’s premises, in accordance with the WebTrust criteria.

Key Ceremony and Issuance of Subordinate CA Certificate

Upon successful completion of the preliminary assessment, the applicant must conduct a formal Key Generation Ceremony, witnessed by an accredited WebTrust Practitioner. NRCA representatives will attend the ceremony as observers.

The Key Generation Ceremony must be completed within ninety (90) days from the date the preliminary assessment results are acknowledged.

WebTrust Audit and Seal

Following the issuance of the Subordinate CA Certificate, the applicant must undergo a full WebTrust audit and obtain the WebTrust Seal within one hundred eighty (180) days from the date of certificate issuance by NRCA.

Failure to obtain the WebTrust Seal within the specified timeframe will result in revocation of the Subordinate CA Certificate. Reapplication may be submitted after 180 days from the date of revocation.

Accredited WebTrust Practitioners

A list of accredited WebTrust Practitioners is available on the CPA Canada website. [here].

Reference Standards and Documents

1. Certificate Policy
2. Principles and Criteria for Certification Authorities – Version 2.2.2
3. WebTrust Principles and Criteria for Certification Authorities – Network Security – Version 2.0.5
4. WebTrust Principles and Criteria for Certification Authorities – TLS Baseline – Version 2.10
5. WebTrust Principles and Criteria for Certification Authorities – S/MIME – Version 2.10