Fast answers for CA/TSP teams implementing certificate issuance and lifecycle controls.
Grounded in ETSI EN 319 411-1 V1.5.1 and the current ETSI publication record for the 2025 edition.
Structured answer sets in this page tree.
Cited legal and guidance references.
This FAQ is written for engineering, security, compliance, and audit teams running a certificate issuing service. It focuses on operational clarity: what to build, what to publish, what evidence to keep, and which parts of the current ETSI edition actually change day-to-day operations.
The current official ETSI edition is V1.5.1 with cover date 2025-04. ETSI shows publication on 7 April 2025 and adoption on 24 March 2025 for this work item.
You should care because internal control matrices, audit templates, and customer assurance packs often lag. If your documents still reference an older revision, your CP, CPS, and assessment evidence can drift out of sync with the edition assessors expect you to know.
ETSI EN 319 411-1 treats the Certificate Policy as what is to be adhered to and the Certification Practice Statement as how it is adhered to. The CP sets the quality and applicability rules. The CPS explains the operating controls the TSP uses to meet them.
A practical implementation uses the CP to define policy commitments, including policy identifiers, and uses the CPS to define operational controls, with sensitive internal procedures kept confidential where appropriate.
Yes. ETSI EN 319 411-1 allows low-level operational procedures to remain internal while the published CPS is limited to information useful for external parties and is complemented by confidential internal elements.
The mistake is going too far in either direction. If the public CPS is too thin, relying parties and assessors cannot understand what is in force. If it exposes sensitive operational detail, you create unnecessary security and confidentiality risk.
ETSI EN 319 411-1 requires terms and conditions and describes the PKI disclosure statement as the part that relates to PKI operation. The standard allows flexibility in form: it can be a standalone document or split across subscriber agreements and relying-party information.
The operational goal is relying-party clarity: how the PKI operates, what is guaranteed, what limitations apply, and where status information can be obtained.
ETSI EN 319 411-1 defines multiple reference certificate policies, including normalized and lightweight policies and TLS-focused policies aligned to CA Browser Forum expectations such as DVCP, OVCP, IVCP, and EVCP.
Choosing a policy is a risk and assurance decision. Higher-assurance policies require stronger identity validation, stronger control evidence, and tighter change management because the policy identifier becomes a reliance signal in the certificate itself.
Policy identifiers in certificates are reliance signals. ETSI EN 319 411-1 notes that for TLS-focused policies, compliance requires following the full and latest relevant CA Browser Forum material, and in case of conflict those CA Browser Forum requirements take precedence in that context.
Operationally, this means you need a compliance process that tracks external requirement updates, not a one-time CP and CPS drafting exercise.
ETSI EN 319 411-1 covers naming and initial identity validation and also identification and authentication for re-key requests and revocation requests.
This matters because attackers often target re-key and revocation pathways. If you outsource part of identity proofing or RA operations, the issuing TSP still owns the policy outcome and still has to be able to reconstruct the evidence.
EN 319 411-1 requires timely revocation based on authorized and validated revocation requests and defines expectations for revocation and suspension operations.
Short-term certificates can change how revocation requirements apply. Even in non-revocable short-term cases, EN 319 411-1 still expects problem-notification handling and audit logging of notified problems, so non-revocable does not mean no operational duty.
ETSI EN 319 411-1 expects revocation status information to be available 24 hours per day, 7 days per week, and it expects consistency across methods if you offer multiple methods such as CRL and online status, with delays and interpretation documented in the CPS when relevant.
Treat status services as critical infrastructure: availability, latency, freshness, correctness, and global reach are all audit and relying-party concerns.
EN 319 411-1 includes audit logging and records archival controls. Evidence must remain usable long after issuance and revocation events because certificate disputes and investigations can happen years later.
The ETSI material anchors retention at at least seven years after any certificate based on the records ceases to be valid. Use a retention schedule per record category and ensure storage and access controls actually enforce it.
Research Copilot can take ETSI EN 319 411-1 FAQ from cited answers to recurring questions on this topic to a reusable workflow inside Sorena. Teams working on ETSI EN 319 411-1 can keep owners, evidence, and next steps aligned without copying this guide into separate documents.
Start from ETSI EN 319 411-1 FAQ and answer scope, timing, and interpretation questions with cited outputs.
Review your current process, evidence gaps, and next steps for ETSI EN 319 411-1 FAQ.