An improved certificate issuing system may comprise a certificate
translation engine for translating incoming certificates and certificate
requests from a first format into a second format. A certificate issuing
engine may then operate on incoming requests in the common format. The
issuing engine can issue certificates to clients according to its
certificate issuing policy. The policy may be expressed as data in a
policy expression language that can be consumed at runtime, which
provides for flexible and efficient changing of issuing policy. Issued
certificates can be translated back into a format that is consumed by the
requesting client. Such translation can be performed by the translation
engine prior to delivery of certificates to requesting clients.