Current Requirement: The VNF MUST, if not using the NCSP’s IDAM API, comply with “No Self-Signed Certificates” policy. Self-signed certificates must be used for encryption only, using specified and approved encryption protocols such as TLS 1.2 or higher or equivalent security protocols such as IPSec, AES.

Proposed Requirement: The VNF MUST support the use of X.509 certificates issued from any Certificate Authority (CA) that is compliant with RFC5280, e.g., a public CA such as DigiCert or Let's Encrypt, or an RFC5280  compliant Operator CA. Note: The VNF provider cannot require the use of self-signed certificates in an Operator's run time environment.

Reason: Requires the VNF to use certificates issued from the Operator's choice of RFC5280 Certificate authority

Current Section: General Requirements

Proposed Section: Cryptography