ETSI EN 319 411-1 Compliance

Start by explicitly scoping which certificate services you provide, which certificate policies you assert, and which operational components are in scope, including RA functions, CA signing systems, status infrastructure, repositories, and outsourced service components.

Your scope statement is the foundation for every assessment and every customer assurance request. If you cannot state which policy identifiers map to which service instances and which systems support them, the rest of the compliance program will drift.

EN 319 411-1 draws a clear boundary: CP communicates what requirements are adhered to, while CPS communicates how you adhere to them. Low-level operational procedures may remain internal, but the public set still has to be accurate, versioned, and easy to discover.

Do not treat repository responsibilities as a publishing afterthought. The public repository is how subscribers, subjects, relying parties, and assessors understand what was in force when a certificate was issued, changed, or revoked.

Identity validation must be consistent with your policy and certificate type. EN 319 411-1 covers naming, initial identity validation, and identification and authentication for re-key and revocation requests.

Treat request authentication as the heart of trust. Fraudulent re-key and fraudulent revocation are catastrophic failure modes. If identity proofing or RA work is delegated, the TSP still owns the policy outcome and the evidence trail.

EN 319 411-1 covers certificate application processing, issuance, acceptance, renewal, re-key, modification, revocation or suspension, and end of subscription. The compliance goal is a reliable state machine with evidence.

If a certificate changes state, you should be able to reconstruct why, who authorized it, what checks were performed, and what was published to relying parties.

Revocation must be timely and based on authorized, validated requests. EN 319 411-1 includes detailed expectations for revocation handling and also addresses short-term certificates where certain revocation requirements may not apply.

Even when certificates are non-revocable in a short-term model, you still need a problem-reporting channel, documented handling, and audit logging of notified problems. The compliance question is not just whether you revoked, but whether you can prove you handled the event correctly under the policy in force.

EN 319 411-1 expects revocation status information to be available 24 by 7 and for multi-method status offerings such as CRL and online status to stay consistent over time, with interpretation documented when delay windows exist.

In practice, assessors will sample availability evidence, update propagation evidence, and failure behavior. Treat status endpoints as customer-facing infrastructure, not a side service hidden behind the CA.

EN 319 411-1 also covers facility, management, and operational controls. That means physical security, personnel controls, procedural controls, key changeover, compromise handling, disaster recovery, and CA or RA termination are part of the compliance story.

If your issuance workflow is strong but privileged access, key custody, or disaster recovery is weak, the certificate service is still weak. Evidence should show how trusted roles are governed and how the service survives compromise or major outage.

EN 319 411-1 includes audit logging procedures and records archival as core controls. Evidence is the difference between thinking you comply and proving you complied.

Retention has to be engineered into storage systems and procedures. The ETSI material anchors retention at at least seven years after any certificate based on the records ceases to be valid, so design archives around that floor where those records apply.