Only a secure certification authority can act as a root for a public key infrastructure that is to be used to guarantee the confidentiality and/or the authenticity/integrity of information. The foundation of any public key infrastructure (PKI) is trust. Accordingly, the certification authority (CA) that operates the PKI must not only be trustworthy itself but must also be trusted by third parties. To establish this level of trust, two conditions must be fulfilled:

• First, a basis for trustworthiness must be established, which means that the CA must implement organisational and technical measures at an appropriate level of security and establish rules applicable to all PKI participants.
• Second, these security measures must be documented in a transparent manner. This is assured by (completing) an audit based on clear and documented requirements.

The BSI [TR-03145] aims to provide support to CAs for both of these steps. Requirements are set for the security measures to be implemented, while the Technical Guideline serves as a basis for an audit and certification process. The requirements set out by [TR-03145] include an audit to ISO/IEC 27001, in the context of which all of the processes and departments of the CA named in the TR must be accounted for. The audit is completed by a certified "Secure CA Operation" Auditor and carried out on the premises of the CA who is to be audited.