Certificates10 min readUpdated April 2026

What Is a Password Compliance Certificate? The Complete Guide

Screenshots and manual docs can't prove password compliance. Compliance certificates can. Here is what they are, how they work, and why auditors are asking for them.

The audit evidence problem

Every SOC 2 audit, HIPAA assessment, PCI-DSS review, and ISO 27001 certification includes a question that stumps most security teams:

"How do you prove that your passwords were generated according to policy — not just that a policy exists?"

The honest answer, for most organisations, is: they can't. They have a written password policy. They may have Active Directory screenshots showing policy enforcement. But they have no cryptographic, tamper-evident, machine-readable record that any specific credential was generated to a specific compliance standard.

The workarounds are inadequate:

  • Screenshots — not tamper-evident, point-in-time, manually alterable
  • Self-attestation — requires the auditor to trust the auditee
  • Policy documents — prove intent, not execution
  • Access logs — prove access patterns, not credential quality

A password compliance certificate solves this. It is a signed, machine-readable, independently verifiable record that a specific credential was generated to a specific compliance standard at a specific point in time.

What a compliance certificate is

A password compliance certificate is a cryptographically signed document — specifically a JSON Web Token (JWT) signed using the ES256 algorithm (ECDSA with P-256 curve) — that records the compliance-relevant properties of a credential at the moment of generation.

It proves three things:

  1. The credential was machine-generated — not human-chosen, not manually typed, not taken from a previous generation
  2. The generation used a validated entropy source — specifically crypto.getRandomValues(), which is FIPS 140-3 aligned
  3. The generation parameters met the stated compliance standard — minimum length, character classes, entropy threshold, and other standard-specific requirements were all satisfied

Critically: the certificate never contains the password itself. PassGeni's zero-knowledge architecture means the password is generated client-side in the user's browser and is never transmitted to any server. The certificate captures compliance properties without the sensitive secret.

A compliance certificate proves the generation process, not the credential output. This distinction is architecturally significant: it is how PassGeni can issue certificates without ever seeing your passwords.

What the certificate contains

Every PassGeni compliance certificate is a JWT with a signed payload containing:

compliance_standardThe primary standard (e.g. HIPAA, PCI-DSS-v4, FIPS-140-3)
standards_metAll standards the credential satisfies (array — a 20-char FIPS cert also carries HIPAA, PCI-DSS, SOC2, ISO-27001, NIST)
entropy_bitsCalculated entropy of the generated credential (bits)
char_pool_sizeSize of the character pool used in generation
generation_paramsLength, has_upper, has_lower, has_numbers, has_special
entropy_sourcecrypto.getRandomValues (FIPS 140-3 aligned)
iatIssue timestamp (Unix seconds)
expExpiry timestamp — default 1 year from issuance
issIssuer: passgeni.ai
subUser ID of the certificate holder
cert_versionCertificate specification version (2.0)

The entire payload is signed with PassGeni's ES256 private key. The corresponding public key is published at passgeni.ai/.well-known/jwks.json per RFC 7517, enabling offline verification by any auditor.

How PassGeni certificates work

The certificate generation flow is designed to eliminate trust gaps:

  1. Password generated client-side — your browser calls crypto.getRandomValues(). The password never leaves your browser.
  2. Parameters sent to server — only generation parameters (length, character classes, compliance standard, entropy target) are sent. Not the password.
  3. Server validates parameters — PassGeni re-validates that the stated parameters actually meet the compliance standard. The server never trusts the client's compliance claims.
  4. Server issues generation session token — a short-lived signed token (generation_session_id, expires in 60 seconds) proves the parameters were server-validated.
  5. Certificate issued against session token — the certificate endpoint only accepts a valid generation_session_id. This architectural constraint prevents certifying externally-created passwords.
  6. JWT signed and stored — PassGeni signs the certificate with its ES256 private key and stores the JWT in the certificates database. The password is never stored.
  7. Certificate URL returned — you receive a public URL at passgeni.ai/cert/[id]. Share this with auditors.
Why the generation session token matters: The token is the architectural boundary that makes certificates trustworthy. Without it, anyone could claim "I generated this password with FIPS parameters" without proof. The session token proves PassGeni validated the parameters before the certificate was issued.

Zero-knowledge vs certified mode

PassGeni operates in two distinct modes, serving different use cases:

  • Zero-knowledge mode (default) — Password generated entirely in your browser using crypto.getRandomValues(). No data leaves your browser. No server call. No record created. Zero possibility of server-side breach of your credentials. Use this for generating passwords you will store in a password manager without needing compliance evidence.
  • Certified mode — User requests a compliance certificate. The client sends only generation parameters (never the password) to the server. Server validates parameters, signs certificate, stores JWT. Compliance certificate URL is returned. Use this when you need audit evidence that a specific credential meets a specific standard.

In both modes, passwords are never transmitted to or stored by PassGeni. The architectural difference is that certified mode creates a server-side record of generation parameters — not the credential itself. This distinction is mathematically enforced, not policy-based.

How auditors verify certificates

Certificate verification requires no login, no PassGeni account, and no trust in PassGeni's infrastructure. Any party with basic security tooling can verify in under 60 seconds:

  1. Navigate to the certificate URLpassgeni.ai/cert/[id]. The certificate page shows compliance claims in human-readable form.
  2. Verify the ES256 signature offline — fetch the JWT from the certificate page, use any JOSE library (jose, python-jose, golang-jwt), and verify against the public key at passgeni.ai/.well-known/jwks.json.
  3. Confirm the claims — check iss is passgeni.ai, exp is in the future, compliance_standard matches the required framework, and standards_met includes all required standards.
  4. Check revocation status — the certificate page at passgeni.ai/cert/[id] shows current validity including revocation. For audit-critical verification, online check is recommended over JWT-only verification.

Verification confirms: the certificate is authentic (PassGeni signed it), the content is unaltered (signature is valid), and the claims are current (not expired, not revoked). This takes approximately 60 seconds and requires no special access to PassGeni systems.

Who needs compliance certificates

Compliance certificates are most valuable for:

  • Security engineers preparing audit evidence — SOC 2, HIPAA, PCI-DSS, ISO 27001 auditors ask for password control evidence. Certificates provide machine-readable proof that replaces manual documentation.
  • DevOps and SRE teams managing service accounts — service account credentials are the highest-risk credentials in any infrastructure. A certificate provides provenance documentation that can be stored alongside the credential in a secrets manager.
  • Enterprise CISOs building compliance programs — a certificate dashboard showing compliance coverage across all organisational credentials replaces spreadsheet-based tracking.
  • Healthcare IT teams under HIPAA — HIPAA §164.312 requires evidence of appropriate access controls. Compliance certificates document that credentials were generated to HIPAA-standard parameters.
  • Government contractors under FIPS 140-3 / CMMC — documented entropy source and provenance are explicit requirements. PassGeni certificates satisfy both.
  • SaaS companies pursuing SOC 2 Type II — Type II audits require evidence that controls operated consistently over time. A library of compliance certificates for all sensitive credentials demonstrates consistent enforcement.

Standards covered

PassGeni currently issues compliance certificates for six frameworks:

NIST SP 800-63B8 chars · Length-primary · Breach checking
HIPAA §164.312(d)12 chars · Upper + lower + digit + special
PCI-DSS v4.0 Req 8.312 chars · 3 of 4 char classes · Min 40 bits entropy
SOC 2 CC6.116 chars · Full complexity · Rotation policy evidence
ISO/IEC 27001:2022 A.914 chars · All 4 char classes · Audit trail mandatory
FIPS PUB 140-320 chars · All 4 char classes · FIPS-validated entropy source · Documented provenance

Each certificate includes a standards_met array listing every standard the credential satisfies — not just the primary standard requested. A FIPS 140-3 certificate for a 20-character credential with full character set will typically carry all six standards in the array, meaning one certificate can serve as evidence for multiple concurrent audit requirements.

Revocation and expiry

Compliance certificates have a defined lifecycle:

  • Default expiry: 1 year — the exp claim in the JWT is set to 365 days from issuance. This aligns with typical credential rotation cycles. An expired certificate shows expired status on the certificate page.
  • Revocation — certificates can be revoked manually (e.g. when a credential is rotated or a team member departs). Revoked certificates show revoked status at their URL. The ES256 signature remains mathematically valid after revocation — the public key verification confirms authenticity only; the certificate URL confirms current validity.
  • Renewal — when a credential is rotated, generate a new PassGeni certificate for the new credential. The old certificate provides the historical audit trail; the new certificate covers the current credential.

For audit-critical workflows, always verify via the certificate URL (passgeni.ai/cert/[id]) rather than JWT-only offline verification. The URL provides current revocation status; offline verification confirms authenticity only.

Issue your first compliance certificate. Generate a password with PassGeni using any compliance preset, sign in, and click 'Certify this password'. Your certificate URL — publicly verifiable, cryptographically signed, auditor-ready — is ready in seconds. Foundation plan includes 3 certificates/month free.

Frequently asked questions

What is a password compliance certificate?

A password compliance certificate is a cryptographically signed document — specifically an ES256-signed JWT — that records and proves a password was generated to meet a specific compliance standard (HIPAA, SOC 2, PCI-DSS, ISO 27001, NIST 800-63B, or FIPS 140-3). It contains the compliance standard, entropy, generation parameters, and entropy source, signed with a private key that guarantees the record cannot be forged or altered.

Why do compliance auditors need password compliance certificates?

Auditors need to verify that passwords protecting sensitive systems actually meet policy — not just that a policy exists on paper. Without certificates, teams resort to screenshots, manual documentation, and self-attestation. These are neither tamper-evident nor machine-readable. A compliance certificate is independently verifiable by the auditor without trusting the organisation's word.

What information does a compliance certificate contain?

A PassGeni compliance certificate JWT payload contains: compliance_standard (e.g. HIPAA, PCI-DSS-v4), entropy_bits (measured entropy of the credential), char_pool_size (character pool used), generation_params (length, character types), entropy_source (crypto.getRandomValues — FIPS 140-3 aligned), standards_met (all standards the credential satisfies), iat/exp (issue date and 1-year expiry), and issuer (passgeni.ai).

How is a compliance certificate verified?

Any party with PassGeni's public key can verify a compliance certificate offline using any JOSE/JWT library. The public key is published at passgeni.ai/.well-known/jwks.json per RFC 7517. Verification confirms the certificate is authentic (signed by PassGeni), unaltered, and not expired — without making any network call to PassGeni's servers.

Can a compliance certificate be forged?

No. The ES256 digital signature makes forgery computationally infeasible. The private signing key never leaves PassGeni's servers. Any attempt to alter the certificate payload — changing the compliance standard, inflating entropy, or modifying generation parameters — invalidates the signature immediately. Auditors can detect any tampering during the 30-second verification process.

Does a compliance certificate mean the password itself was checked?

No — and this distinction matters. A PassGeni certificate proves that a password was GENERATED using parameters that meet the compliance standard. PassGeni never sees the password itself (zero-knowledge architecture). The certificate certifies the generation process, not the specific credential output. This is sufficient for compliance purposes because generation-level compliance guarantees outcome-level compliance.

How long does a compliance certificate last?

PassGeni compliance certificates expire 1 year after issuance, matching typical credential rotation cycles. The exp claim in the JWT payload records the exact expiry timestamp. Expired certificates show a revoked/expired status on the public certificate page. For credentials that rotate annually, simply generate a new certificate at rotation time.

Who should be using password compliance certificates?

Security engineers proving password policy compliance to SOC 2, HIPAA, or PCI-DSS auditors; DevOps and SRE teams documenting service account credential provenance; enterprise CISOs building audit evidence packages; compliance officers at healthcare, fintech, and SaaS companies; and any team that currently relies on manual documentation or screenshots to prove password compliance.

Can certificates be revoked?

Yes. Certificate revocation is supported — the certificate is marked revoked in PassGeni's database and the public certificate page at /cert/[id] shows the revoked status. Note: the JWT signature remains mathematically valid after revocation (the cryptographic proof is immutable). Online verification via the certificate URL is required to confirm current validity. For audit-critical workflows, always verify via the certificate URL, not the raw JWT.

How do compliance certificates fit into a SOC 2 audit package?

In a SOC 2 Type II audit for CC6.1 (logical access controls), compliance certificates serve as technical control evidence alongside your written password policy. Include the cert URLs for your most sensitive credentials (admin accounts, service accounts, customer data systems) in your evidence package. The auditor can independently verify each certificate in minutes, replacing hours of manual documentation review.

Related guides