ETSI EN 319 411-1 Audit File Evidence

Define which certification authority service, certificate policies, certificate profiles, registration authority arrangements, revocation services, repositories, and assessment period the file covers. ETSI EN 319 411-1 separates requirements by functions such as registration, certificate lifecycle operations, revocation, CA key management, audit logging, and records archival, so the file should make those boundaries explicit before evidence is collected.

The scope page should link the CP, CPS, subscriber-facing terms, repository locations, applicable certificate policy identifiers, and any RA delegation or outsourced service evidence that affects the records under review. Keep unsupported assumptions out of the public claim: if an item is included because a customer contract, browser root program, or national scheme requires it, name that separate trigger instead of attributing it to ETSI EN 319 411-1.

Build the file around the records ETSI EN 319 411-1 calls out for audit logging and archival review. The strongest audit file shows both the event record and the control that made the record reliable: the procedure, owner, timestamp source, log protection, access control, archive location, and review history.

For registration evidence, include the records needed to show how applicant information was received and validated, where supporting documents and subscriber agreements are stored, which entity accepted the application, and which TSP or RA submitted it. For operational evidence, include security-event logs, PKI access attempts, CA key lifecycle logs, certificate lifecycle events, revocation requests and resulting actions, and any subject-device preparation evidence that applies to NCP+ services.

ETSI EN 319 411-1 gives a concrete retention rule for the records named in clause 6.4.6: retain them for at least seven years after any certificate based on those records ceases to be valid. The audit file should therefore show both the rule and the mechanism: where the records are archived, how they are protected, who can retrieve them, and how the CA prevents easy deletion or destruction during the required retention period.

ETSI EN 319 401 adds general evidence controls that matter when the audit file is challenged later. Current and archived service-operation records need confidentiality and integrity protection, records should be archived according to disclosed business practices, event times should be recorded precisely for significant environmental, key management, and clock synchronization events, and audit-log time should be synchronized with UTC at least once a day.

Before handing the file to an assessor, test whether a reviewer can move from each CP/CPS commitment to the operational record without asking the CA team to reconstruct context. The file should be readable as evidence of actual operation, not just a list of policies.

Use this checklist for the evidence pack only; it does not supersede the applicable assessment scheme, ETSI TR audit checklist, browser-program criteria, or legal obligations that may apply outside EN 319 411-1.

Most audit-file problems are traceability problems. A CA may have logs, policy documents, and tickets, but still fail to show which record proves which EN 319 411-1 requirement for the assessed service and period. Close those gaps before the formal evidence request starts.

Narrow claims when the grounding or evidence is narrow. For example, a revocation log for one CA hierarchy does not prove revocation operation for another hierarchy, and a registration sample does not prove every RA arrangement unless the audit file explains why the same controlled process applies.