Artifact GuideGLOBALETSI EN 319 411-1

ETSI EN 319 411-1 ETSI EN 319 411-1 vs ETSI EN 319 411-2

A focused comparison of Part 1 general certificate-service policy requirements and Part 2 requirements for trust service providers issuing EU qualified certificates.

Use it to separate non-qualified certificate-service evidence from qualified certificate policy, QSCD, QWAC, and EU trusted-list questions.

Back to main artifactReview sources
Author
Sorena AI
Published
May 9, 2026
Updated
May 9, 2026
Sections
6

Structured answer sets in this page tree.

Primary sources
3

Cited legal and guidance references.

Publication metadata
Sorena AI
Published May 9, 2026
Updated May 9, 2026
Overview

Use this page when a certificate service, customer questionnaire, conformity assessment file, or CP/CPS review mentions both ETSI EN 319 411-1 and ETSI EN 319 411-2. EN 319 411-1 is the general certificate-service requirements baseline; EN 319 411-2 adds the qualified-certificate layer for EU qualified certificates and qualified website authentication certificate policy profiles.

Side-by-side comparison

ETSI EN 319 411-1 vs ETSI EN 319 411-2: what changes operationally?

Use this comparison to decide when EN 319 411-1 general certificate-service requirements are enough, and when EN 319 411-2 qualified certificate requirements add separate policy, evidence, and assurance work.

Review all sources
First framework
ETSI EN 319 411-1

Part 1 covers general policy and security requirements for TSPs issuing certificates, including CP/CPS, PKI participants, certificate lifecycle operations, repositories, revocation, and records.

Second framework
ETSI EN 319 411-2

Part 2 covers requirements for TSPs issuing EU qualified certificates, with qualified certificate policy profiles, qualified website authentication certificate profiles, QTSP context, and QSCD-related routes where applicable.

Comparison row 1

Scope and covered activity

ETSI EN 319 411-1

EN 319 411-1 is the general certificate-service standard for TSPs issuing certificates. Scope the CA, RA, subscriber and subject roles, certificate usage, repository, revocation service, and CP/CPS commitments before mapping controls.

ETSI EN 319 411-1 V1.5.1 certificate policy and security requirementsSources 1ETSI EN 319 401 V3.1.1 general policy requirements for TSPsSources 2
ETSI EN 319 411-2

EN 319 411-2 is for TSPs issuing EU qualified certificates. Scope the qualified certificate policy profile, qualified website authentication certificate route if used, QTSP or qualified-status evidence, and QSCD-related route where applicable.

ETSI EN 319 411-2 V2.6.1 EU qualified certificate requirementsSources 1
Operational implication

Start with the certificate service and policy profile. A Part 1 certificate lifecycle file can support Part 2 only when the qualified certificate scope is explicit.

ETSI EN 319 411-1 V1.5.1 certificate policy and security requirementsSources 1ETSI EN 319 401 V3.1.1 general policy requirements for TSPsSources 2ETSI EN 319 411-2 V2.6.1 EU qualified certificate requirementsSources 3
Comparison row 2

Who must act

ETSI EN 319 411-1

Part 1 ownership usually sits with the certificate service owner, CA operations, RA or registration service provider owner, security operations, repository or status-service owner, and CP/CPS maintainer.

ETSI EN 319 411-1 V1.5.1 certificate policy and security requirementsSources 1ETSI EN 319 401 V3.1.1 general policy requirements for TSPsSources 2
ETSI EN 319 411-2

Part 2 adds the qualified trust service owner, qualified certificate policy owner, trusted-list evidence owner, QSCD or signing-device owner where relevant, and conformity assessment lead.

ETSI EN 319 411-2 V2.6.1 EU qualified certificate requirementsSources 1
Comparison row 3

Trigger or threshold

ETSI EN 319 411-1

ETSI EN 319 411-1 is triggered when the TSP issues public key certificates under non-qualified certificate policy profiles, including CP/CPS, CA/RA, subscriber registration, certificate issuance, repository, and revocation-service commitments.

ETSI EN 319 411-1 V1.5.1 certificate policy and security requirementsSources 1ETSI EN 319 401 V3.1.1 general policy requirements for TSPsSources 2ETSI EN 319 411-2 V2.6.1 EU qualified certificate requirementsSources 3
ETSI EN 319 411-2

ETSI EN 319 411-2 is triggered when the service issues EU qualified certificates under eIDAS, including qualified certificate policy profiles, qualified website authentication certificates, QSCD-related paths, and qualified-status evidence.

ETSI EN 319 411-1 V1.5.1 certificate policy and security requirementsSources 1ETSI EN 319 401 V3.1.1 general policy requirements for TSPsSources 2ETSI EN 319 411-2 V2.6.1 EU qualified certificate requirementsSources 3
Operational implication

Rerun the comparison when the certificate policy identifier, qualified status claim, QSCD dependency, web certificate profile, CA or RA boundary, repository, or revocation-status service changes.

ETSI EN 319 411-1 V1.5.1 certificate policy and security requirementsSources 1ETSI EN 319 401 V3.1.1 general policy requirements for TSPsSources 2ETSI EN 319 411-2 V2.6.1 EU qualified certificate requirementsSources 3
Comparison row 4

Core obligations

ETSI EN 319 411-1

Part 1 obligations center on CP/CPS structure, certificate policy identification, PKI participants, publication and repository responsibilities, identity validation, certificate lifecycle operations, revocation and status services, facility controls, technical security controls, audit logging, records archival, and CA or RA termination.

ETSI EN 319 411-1 V1.5.1 certificate policy and security requirementsSources 1ETSI EN 319 401 V3.1.1 general policy requirements for TSPsSources 2ETSI EN 319 411-2 V2.6.1 EU qualified certificate requirementsSources 3
ETSI EN 319 411-2

Part 2 keeps those certificate-service disciplines but applies them to qualified certificate policy profiles and qualified-service context, including QCP profiles, qualified website authentication certificate profiles, trusted-list dependencies, and QSCD-related evidence where the policy route requires it.

ETSI EN 319 411-1 V1.5.1 certificate policy and security requirementsSources 1ETSI EN 319 401 V3.1.1 general policy requirements for TSPsSources 2ETSI EN 319 411-2 V2.6.1 EU qualified certificate requirementsSources 3
Operational implication

Create one crosswalk row per operation and identify whether the requirement is Part 1-only, Part 2-only, or a Part 2 qualified use of a Part 1 control.

ETSI EN 319 411-1 V1.5.1 certificate policy and security requirementsSources 1ETSI EN 319 401 V3.1.1 general policy requirements for TSPsSources 2ETSI EN 319 411-2 V2.6.1 EU qualified certificate requirementsSources 3
Comparison row 5

Evidence and records

ETSI EN 319 411-1

ETSI EN 319 411-1 evidence should name the certificate policy and CPS version, certificate profiles, subscriber identity records, CA and RA responsibilities, issuance logs, repository and CRL/OCSP records, revocation files, and audit-period evidence.

ETSI EN 319 411-1 V1.5.1 certificate policy and security requirementsSources 1ETSI EN 319 401 V3.1.1 general policy requirements for TSPsSources 2ETSI EN 319 411-2 V2.6.1 EU qualified certificate requirementsSources 3
ETSI EN 319 411-2

ETSI EN 319 411-2 evidence should add the qualified certificate policy profile, qualified status or trusted-list evidence, QCP or QWAC profile mapping, QSCD-related evidence where applicable, and Part 2-specific conformity assessment findings.

ETSI EN 319 411-1 V1.5.1 certificate policy and security requirementsSources 1ETSI EN 319 401 V3.1.1 general policy requirements for TSPsSources 2ETSI EN 319 411-2 V2.6.1 EU qualified certificate requirementsSources 3
Operational implication

Keep a traceable evidence matrix: source, claim, owner, artifact, review date, and whether the evidence satisfies ETSI EN 319 411-1, ETSI EN 319 411-2, or both.

ETSI EN 319 411-1 V1.5.1 certificate policy and security requirementsSources 1ETSI EN 319 401 V3.1.1 general policy requirements for TSPsSources 2ETSI EN 319 411-2 V2.6.1 EU qualified certificate requirementsSources 3
Comparison row 6

Timing and cadence

ETSI EN 319 411-1

Part 1 evidence timing is driven by certificate validity, certificate lifecycle events, revocation and status-service operation, audit logging, records archival, key changeover, and CA or RA termination records.

ETSI EN 319 411-1 V1.5.1 certificate policy and security requirementsSources 1ETSI EN 319 401 V3.1.1 general policy requirements for TSPsSources 2ETSI EN 319 411-2 V2.6.1 EU qualified certificate requirementsSources 3
ETSI EN 319 411-2

Part 2 timing adds qualified-service assessment and status considerations, including qualified certificate service changes and any trusted-list or qualified status evidence used for relying-party validation.

ETSI EN 319 411-1 V1.5.1 certificate policy and security requirementsSources 1ETSI EN 319 401 V3.1.1 general policy requirements for TSPsSources 2ETSI EN 319 411-2 V2.6.1 EU qualified certificate requirementsSources 3
Operational implication

Keep retention and review dates tied to certificate validity, CP/CPS version, certificate profile, audit period, and qualified-service status rather than a broad annual checklist.

ETSI EN 319 411-1 V1.5.1 certificate policy and security requirementsSources 1ETSI EN 319 401 V3.1.1 general policy requirements for TSPsSources 2ETSI EN 319 411-2 V2.6.1 EU qualified certificate requirementsSources 3
Comparison row 7

Enforcement or assurance route

ETSI EN 319 411-1

ETSI EN 319 411-1 assurance usually runs through TSP conformity assessment against EN 319 401 plus EN 319 411-1, with audit evidence tied to the non-qualified certificate policy, CPS, CA operations, RA controls, and lifecycle records.

ETSI EN 319 411-1 V1.5.1 certificate policy and security requirementsSources 1ETSI EN 319 401 V3.1.1 general policy requirements for TSPsSources 2ETSI EN 319 411-2 V2.6.1 EU qualified certificate requirementsSources 3
ETSI EN 319 411-2

ETSI EN 319 411-2 assurance connects the certificate audit path to eIDAS qualified trust-service supervision, qualified certificate policy profiles, QTSP status evidence, QSCD-related evidence where applicable, and qualified certificate lifecycle controls.

ETSI EN 319 411-1 V1.5.1 certificate policy and security requirementsSources 1ETSI EN 319 401 V3.1.1 general policy requirements for TSPsSources 2ETSI EN 319 411-2 V2.6.1 EU qualified certificate requirementsSources 3
Operational implication

Escalate when an assessor, supervisory body, browser relying-party program, customer, or procurement reviewer asks for qualified certificate proof rather than ordinary certificate-service evidence.

ETSI EN 319 411-1 V1.5.1 certificate policy and security requirementsSources 1ETSI EN 319 401 V3.1.1 general policy requirements for TSPsSources 2ETSI EN 319 411-2 V2.6.1 EU qualified certificate requirementsSources 3
Comparison row 8

Overlap and reuse

ETSI EN 319 411-1

Part 1 evidence can be reused for common PKI operations, such as lifecycle processing, revocation services, repositories, audit logging, and records archival, when the service boundary and policy profile match.

ETSI EN 319 411-1 V1.5.1 certificate policy and security requirementsSources 1ETSI EN 319 401 V3.1.1 general policy requirements for TSPsSources 2ETSI EN 319 411-2 V2.6.1 EU qualified certificate requirementsSources 3
ETSI EN 319 411-2

Part 2 can reuse common PKI evidence only after adding the qualified certificate policy context and any qualified-status, QWAC, trusted-list, or QSCD evidence needed for the qualified claim.

ETSI EN 319 411-1 V1.5.1 certificate policy and security requirementsSources 1ETSI EN 319 401 V3.1.1 general policy requirements for TSPsSources 2ETSI EN 319 411-2 V2.6.1 EU qualified certificate requirementsSources 3
Operational implication

Reuse the operational artifact, not the conclusion. The same log or CP/CPS section may support both sides, but the qualified-certificate conclusion needs its own source-linked row.

ETSI EN 319 411-1 V1.5.1 certificate policy and security requirementsSources 1ETSI EN 319 401 V3.1.1 general policy requirements for TSPsSources 2ETSI EN 319 411-2 V2.6.1 EU qualified certificate requirementsSources 3
Comparison row 9

Practical decision rule

ETSI EN 319 411-1

Use EN 319 411-1 as the controlling side when the claim is that a TSP certificate service meets the general Part 1 certificate policy and security requirements.

ETSI EN 319 411-1 V1.5.1 certificate policy and security requirementsSources 1ETSI EN 319 401 V3.1.1 general policy requirements for TSPsSources 2
ETSI EN 319 411-2

Use EN 319 411-2 as the controlling side when the claim is that the service issues EU qualified certificates or uses a Part 2 qualified certificate policy profile.

ETSI EN 319 411-2 V2.6.1 EU qualified certificate requirementsSources 1
Operational implication

Do not collapse the standards into one checklist. Start with the certificate policy profile, then show exactly which Part 1 controls are reused by the Part 2 qualified certificate claim.

ETSI EN 319 411-1 V1.5.1 certificate policy and security requirementsSources 1ETSI EN 319 401 V3.1.1 general policy requirements for TSPsSources 2ETSI EN 319 411-2 V2.6.1 EU qualified certificate requirementsSources 3
Practical decision rule

How to choose between ETSI EN 319 411-1 and ETSI EN 319 411-2

  • Start with the certificate policy profile and qualified-status claim, not with the standard title alone.
  • Use EN 319 411-1 for general certificate-service CP/CPS, lifecycle, repository, revocation, and CA/RA operational evidence.
  • Use EN 319 411-2 when the service claims EU qualified certificate status, a qualified certificate policy profile, QWAC coverage, or QSCD-backed qualified certificate issuance.
ETSI EN 319 411-1 V1.5.1 certificate policy and security requirementsSources 1ETSI EN 319 401 V3.1.1 general policy requirements for TSPsSources 2ETSI EN 319 411-2 V2.6.1 EU qualified certificate requirementsSources 3
Section 1

When should teams compare ETSI EN 319 411-1 with ETSI EN 319 411-2?

Compare them before a TSP reuses the same CP/CPS, subscriber identity proofing, certificate profile, revocation evidence, or audit file for both ordinary certificate services and EU qualified certificate services.

The practical question is whether the service is operating under EN 319 411-1 general certificate policy requirements, under EN 319 411-2 qualified certificate policy requirements, or under both with different evidence boundaries.

  • Start with the certificate policy identifier and certificate profile: NCP, EVCP, and web certificate routes belong in the Part 1 analysis; QCP and qualified web certificate profiles belong in the Part 2 analysis.
  • Separate common PKI operations, such as CA/RA responsibilities and revocation status services, from qualified-service proof such as QTSP status, QSCD-related paths, and EU trusted-list evidence.
  • Keep crosswalk rows source-linked so audit reviewers can see when Part 2 incorporates or depends on Part 1 requirements.
Sources for this answer
ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements
Primary source for non-qualified certificate policy, CPS, subscriber identity, revocation, repository, CA/RA, and certificate lifecycle requirements.
ETSI EN 319 401 V3.1.1 general policy requirements for TSPs
Primary ETSI source for general policy, risk assessment, management, security, incident, continuity, and audit evidence requirements for trust service providers.
ETSI EN 319 411-2 V2.6.1 EU qualified certificate requirements
Primary source for qualified certificate policy profiles, QSCD-related routes, qualified website authentication certificates, and QTSP certificate operations.
Section 2

Decision rules for Part 1 and Part 2 certificate services

Use EN 319 411-1 when the service is about policy and security requirements for TSPs issuing certificates in the general Part 1 scope. Use EN 319 411-2 when the claim is specifically about EU qualified certificates, including the qualified certificate policy profiles named in Part 2.

Do not treat Part 2 as a simple replacement for Part 1. The Part 2 grounding references EN 319 411-1 and EN 319 401, while adding qualified certificate policy profiles such as QCP-n, QCP-l, QCP-n-qscd, QCP-l-qscd, QEVCP-w, QNCP-w, and QNCP-w-gen.

  • If the certificate service is not making an EU qualified certificate claim, keep the comparison anchored in EN 319 411-1 and avoid importing qualified-certificate obligations by label alone.
  • If the service claims qualified status, document the Part 2 policy profile, qualified status evidence, trusted-list dependency, and any QSCD-related route before reusing Part 1 evidence.
  • When Part 2 points back to Part 1 clauses, cite both sides in the audit file and explain which requirement is being satisfied.
Sources for this answer
ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements
Primary source for non-qualified certificate policy, CPS, subscriber identity, revocation, repository, CA/RA, and certificate lifecycle requirements.
ETSI EN 319 401 V3.1.1 general policy requirements for TSPs
Primary ETSI source for general policy, risk assessment, management, security, incident, continuity, and audit evidence requirements for trust service providers.
ETSI EN 319 411-2 V2.6.1 EU qualified certificate requirements
Primary source for qualified certificate policy profiles, QSCD-related routes, qualified website authentication certificates, and QTSP certificate operations.
Section 3

What to decide before reusing CP/CPS evidence

Decide whether the same CP/CPS text actually covers the service, policy object identifier, certificate usage, participants, and publication responsibilities on both sides. Part 1 and Part 2 both use CP/CPS concepts, but Part 2's qualified certificate policy profiles change what the evidence must prove.

For EN 319 411-1, the review should cover CA and RA responsibilities, subscribers and subjects, naming, initial identity validation, certificate application and issuance, certificate acceptance, revocation, status services, repositories, and records archival. For EN 319 411-2, add the qualified certificate policy profile, qualified status context, qualified website authentication certificate route if relevant, and QSCD-related evidence only where the Part 2 profile calls for it.

  • Name the certificate service, CA, RA or registration service provider, certificate policy, certificate profile, repository, and revocation-status service in scope.
  • Record whether the service is non-qualified, qualified for natural persons, qualified for legal persons, QSCD-backed, or a qualified website authentication certificate profile.
  • Separate Part 1 evidence reused by Part 2 from Part 2-only evidence so the audit file does not hide qualified-service assumptions.
  • Version evidence by standard version, CP/CPS version, certificate profile, assessment period, and certificate service boundary.
Sources for this answer
ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements
Primary source for non-qualified certificate policy, CPS, subscriber identity, revocation, repository, CA/RA, and certificate lifecycle requirements.
ETSI EN 319 401 V3.1.1 general policy requirements for TSPs
Primary ETSI source for general policy, risk assessment, management, security, incident, continuity, and audit evidence requirements for trust service providers.
ETSI EN 319 411-2 V2.6.1 EU qualified certificate requirements
Primary source for qualified certificate policy profiles, QSCD-related routes, qualified website authentication certificates, and QTSP certificate operations.
Recommended next step

Compare certificate policy evidence before the audit

Use the comparison to separate ordinary certificate-service evidence from qualified certificate evidence before a CP/CPS update, procurement response, or conformity assessment.

Assessment workflow
Open Assessment Autopilot for certificate evidence

Turn the Part 1 and Part 2 crosswalk into assigned evidence requests, CP/CPS review items, and audit-ready gaps.

Explore next step
Research workflow
Research certificate policy source questions

Resolve certificate policy, qualified certificate, trusted-list, and QSCD questions against the cited ETSI material.

Explore next step
Talk to Sorena
Talk through implementation

Review the certificate-service scope, evidence split, and next audit actions with Sorena.

Explore next step
Section 4

Evidence that belongs on each side of the comparison

Build the comparison as an evidence map, not as a merged checklist. The same operational record can sometimes support both standards, but the claim it supports should stay tied to the relevant Part 1 or Part 2 clause set.

For Part 1, keep CP and CPS versions, certificate policy identifiers, subscriber agreements, identity validation records, RA delegation evidence, issuance logs, CRL or OCSP records, revocation files, repository publication records, key-management records, audit logs, and records archival evidence. For Part 2, add qualified certificate policy profile evidence, QTSP or qualified-status records, EU trusted-list validation references, qualified website authentication certificate material where used, and QSCD-related evidence only when the profile depends on it.

  • Mark each evidence item as Part 1-only, Part 2-only, or shared with a clause-level explanation.
  • Do not describe a certificate as qualified unless the Part 2 policy profile and qualified-service evidence are present.
  • Do not describe a Part 1 control as sufficient for Part 2 unless the Part 2 source actually incorporates or aligns with that Part 1 requirement.
  • Review the crosswalk after CP/CPS changes, certificate profile changes, RA changes, revocation-service changes, key-management changes, or conformity-assessment scope changes.
Sources for this answer
ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements
Primary source for non-qualified certificate policy, CPS, subscriber identity, revocation, repository, CA/RA, and certificate lifecycle requirements.
ETSI EN 319 401 V3.1.1 general policy requirements for TSPs
Primary ETSI source for general policy, risk assessment, management, security, incident, continuity, and audit evidence requirements for trust service providers.
ETSI EN 319 411-2 V2.6.1 EU qualified certificate requirements
Primary source for qualified certificate policy profiles, QSCD-related routes, qualified website authentication certificates, and QTSP certificate operations.
Section 5

Comparison checklist for certificate-service teams

Use this checklist when preparing a CP/CPS update, audit evidence pack, qualified certificate service review, or procurement response that mentions both standards.

  • List the certificate service, certificate policy object identifier, CP/CPS version, certificate profile, CA, RA, repository, and status service covered by EN 319 411-1.
  • Identify whether any Part 2 policy profile applies: QCP-n, QCP-l, QCP-n-qscd, QCP-l-qscd, QEVCP-w, QNCP-w, or QNCP-w-gen.
  • Create a row for every shared operation, including identity validation, issuance, acceptance, revocation, status services, records archival, and CA or RA termination.
  • Attach the evidence artifact to the row: CP/CPS text, subscriber record, validation record, certificate sample, CRL or OCSP record, trusted-list reference, audit log, or conformity-assessment finding.
  • Flag unsupported reuse where the Part 1 evidence proves ordinary certificate-service operation but does not prove the qualified certificate claim.
Sources for this answer
ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements
Primary source for non-qualified certificate policy, CPS, subscriber identity, revocation, repository, CA/RA, and certificate lifecycle requirements.
ETSI EN 319 401 V3.1.1 general policy requirements for TSPs
Primary ETSI source for general policy, risk assessment, management, security, incident, continuity, and audit evidence requirements for trust service providers.
ETSI EN 319 411-2 V2.6.1 EU qualified certificate requirements
Primary source for qualified certificate policy profiles, QSCD-related routes, qualified website authentication certificates, and QTSP certificate operations.
Section 6

Comparison mistakes that create audit gaps

The main failure pattern is treating the standards as two labels for the same audit file. They overlap through TSP policy, security, and certificate lifecycle concepts, but Part 2 is narrower and more specific because it addresses EU qualified certificates.

  • Do not call a service qualified because it satisfies EN 319 411-1 general requirements; Part 2 qualified certificate policy evidence is still needed.
  • Do not hide certificate policy profile differences behind a vague CP/CPS title.
  • Do not reuse identity validation, revocation, repository, or audit-log evidence unless the certificate service boundary and policy profile match.
  • Do not mix CA/Browser Forum web certificate requirements, qualified website authentication certificate requirements, and ordinary certificate policy requirements without a row-level source reference .
Sources for this answer
ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements
Primary source for non-qualified certificate policy, CPS, subscriber identity, revocation, repository, CA/RA, and certificate lifecycle requirements.
ETSI EN 319 401 V3.1.1 general policy requirements for TSPs
Primary ETSI source for general policy, risk assessment, management, security, incident, continuity, and audit evidence requirements for trust service providers.
ETSI EN 319 411-2 V2.6.1 EU qualified certificate requirements
Primary source for qualified certificate policy profiles, QSCD-related routes, qualified website authentication certificates, and QTSP certificate operations.
Primary sources

References and citations

ETSI EN 319 401 V3.1.1 general policy requirements for TSPs
etsi.org
Referenced sections
  • Primary ETSI source for general policy, risk assessment, management, security, incident, continuity, and audit evidence requirements for trust service providers.
"General Policy Requirements for Trust Service Providers"
Related guides

Explore more topics

CP vs CPS under ETSI EN 319 411-1
Understand how ETSI EN 319 411-1 separates Certificate Policy from Certification Practice Statement work for certification authorities and trust service providers.
ETSI EN 319 411-1 Audit File Evidence
Build an ETSI EN 319 411-1 audit evidence file for CA logging, registration records, revocation records, CA key lifecycle evidence, and records archival.
ETSI EN 319 411-1 CA Key Management
CA key management guidance for ETSI EN 319 411-1: CPS commitments, key ceremonies, secure cryptographic devices, backup, recovery, and lifecycle evidence.
ETSI EN 319 411-1 certificate lifecycle workflow
Workflow for EN 319 411-1 certificate application, issuance, acceptance, renewal, re-key, modification, revocation, suspension, status services, and evidence records.
ETSI EN 319 411-1 certificate re-key FAQ
What ETSI EN 319 411-1 requires when a TSP re-keys an existing certificate with a new subject public key.
ETSI EN 319 411-1 Certificate Suspension FAQ
How CAs should handle certificate suspension under ETSI EN 319 411-1: CPS disclosure, validated requests, status publication, subscriber notice, and audit evidence.
ETSI EN 319 411-1 Certification Audit Evidence FAQ
How CAs should prepare ETSI EN 319 411-1 audit evidence for CP/CPS scope, registration records, revocation records, CA key logs, and retained assessment files.
ETSI EN 319 411-1 Compliance Guide
Build an ETSI EN 319 411-1 compliance file for certificate policies, CPS commitments, certificate lifecycle controls, revocation services, CA keys, and audit evidence.
ETSI EN 319 411-1 CP and CPS template
Build a certificate policy and Certification Practice Statement template for ETSI EN 319 411-1 certificate services, with fields for policy identifiers, subscribers, relying parties, revocation, publication, and evidence.
ETSI EN 319 411-1 FAQ for Certificate Services
Answers to common ETSI EN 319 411-1 questions on certificate policies, CPS content, CA and RA boundaries, subscriber evidence, revocation, status services, and record retention.
ETSI EN 319 411-1 Identity Validation
Identity validation requirements in ETSI EN 319 411-1 for subscribers, subjects, RAs, certificate requests, registration evidence, and issuance records.
ETSI EN 319 411-1 Identity Validation Evidence Workflow
A workflow for building ETSI EN 319 411-1 identity validation evidence packs across subscriber, subject, certificate request, RA, logging, and retention controls.
ETSI EN 319 411-1 RA Delegation Guide
How to scope registration authority delegation under ETSI EN 319 411-1, including delegated RA tasks, external provider controls, registration records, and audit evidence.
ETSI EN 319 411-1 RA Delegation Review Workflow
Review delegated registration authority work under ETSI EN 319 411-1: retained CA responsibility, recognized registration service providers, secure data exchange, CPS coverage, and audit evidence.
ETSI EN 319 411-1 requirements map for certificate services
Map ETSI EN 319 411-1 requirements for certificate policies, CP/CPS content, registration, revocation, certificate status, and CA key-management evidence.
ETSI EN 319 411-1 Revocation Evidence Workflow
Build a revocation evidence workflow for ETSI EN 319 411-1 covering CPS procedures, request authentication, 24-hour status updates, CRL/OCSP publication, logs, and retention.
ETSI EN 319 411-1 Revocation, OCSP, and CRL Operations
Operate ETSI EN 319 411-1 revocation status services with CPS procedures, authenticated requests, 24-hour CRL or OCSP publication controls, and audit evidence.
ETSI EN 319 411-1 vs CA/B Forum Baseline Requirements
Compare how EN 319 411-1 incorporates CA/B Forum BRG concepts for DVCP, OVCP, IVCP, [WEB] requirements, CPS disclosure, domain validation, and conflict handling.
How should certificate authorities handle revocation evidence under ETSI EN 319 411-1?
What ETSI EN 319 411-1 expects CAs to evidence for certificate revocation requests, status publication, CRL or OCSP updates, and archived revocation records.
RA delegation under ETSI EN 319 411-1
How certificate authorities can delegate registration authority work under ETSI EN 319 411-1 while keeping identity validation, secure data exchange, role controls, and audit evidence traceable.
Subscriber agreements under ETSI EN 319 411-1
How ETSI EN 319 411-1 expects CAs and TSPs to inform subscribers, record acceptance, handle subject consent, and retain subscriber-agreement evidence.
Subscriber identity validation under ETSI EN 319 411-1
How certificate authorities should validate subscriber and subject identity under ETSI EN 319 411-1, including evidence, authorization, subject categories, and registration records.