From 2139057132f3ad67de4f243354b7f7e4506cd7b9 Mon Sep 17 00:00:00 2001
From: Aaron Gable <aaron@letsencrypt.org>
Date: Wed, 15 Jan 2025 11:38:16 -0800
Subject: [PATCH] Document issuance from Root CAs (#264)

Fixes https://github.com/letsencrypt/cp-cps/issues/247
---
 CP-CPS.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/CP-CPS.md b/CP-CPS.md
index bdbce8c..6cc91e8 100644
--- a/CP-CPS.md
+++ b/CP-CPS.md
@@ -313,6 +313,8 @@ No stipulation.
 
 At a high level, the following steps are taken during issuance of a Subscriber Certificate. ISRG's automated processes confirm that all requested names have been properly validated to be controlled by the Subscriber requesting the certificate. The to-be-signed certificate is linted, then signed by a Subordinate CA in an HSM. After issuance is complete, the certificate is stored in a database and made available to the Subscriber.
 
+All issuance from ISRG Root CAs requires direct action from a person acting in an appropriate Trusted Role as described in Section 5.2.1.
+
 ### 4.3.2 Notification to subscriber by the CA of issuance of certificate
 
 Subscriber Certificates are made available to Subscribers via the ACME protocol as soon after issuance as reasonably possible. Typically this happens within a few seconds.