Artifact GuideGLOBALETSI EN 319 411-1

ETSI EN 319 411-1 How should certificate authorities handle certification audit evidence under ETSI EN 319 411-1

A focused answer for CAs and TSP teams preparing evidence for an ETSI EN 319 411-1 assessment.

Use it to structure assessor-ready evidence without exposing confidential operating procedures in public-facing material.

Back to main artifactReview sources
Author
Sorena AI
Published
May 9, 2026
Updated
May 9, 2026
Questions
3

Structured answer sets in this page tree.

Primary sources
2

Cited legal and guidance references.

Publication metadata
Sorena AI
Published May 9, 2026
Updated May 9, 2026
Overview

Short answer: keep certification audit evidence as a traceable file that connects the assessed CA service, certificate policy, CPS, assessment period, requirement identifiers, and retained operational records. ETSI EN 319 411-1 points auditors toward the CP/CPS, registration and certificate-lifecycle evidence, revocation evidence, audit logs, records archival, CA key lifecycle records, and the conformity assessment checklist rather than a generic compliance binder.

Search this module

Find a question or answer quickly

3 of 3 questions
Question 1

How should certificate authorities handle certification audit evidence under ETSI EN 319 411-1?

Start with the audit boundary. The evidence file should identify the TSP or CA service being assessed, the applicable certificate policy, the CPS version, the certificate profiles and policy OIDs in use, the assessment period, and whether registration, certificate generation, dissemination, revocation management, revocation status, and subject-device provisioning are in scope.

Then map the file to requirement identifiers and operating records. EN 319 411-1 uses requirement IDs such as REG, GEN, REV, CSS, DIS, SDP, and OVR, and Annex B points to the conformity assessment checklist. An assessor should be able to follow each sampled requirement from the CP/CPS commitment to the retained record that proves operation during the assessment period.

  • Keep a scope sheet naming the CA hierarchy, certificate policies, certificate profiles, repository locations, revocation-status methods, RAs, outsourced components, and excluded services.
  • Trace each evidence request to the CP/CPS clause, EN 319 411-1 requirement ID, assessed period, record owner, evidence location, and sampling result.
  • Separate public CP/CPS and terms from confidential procedure evidence; EN 319 411-1 allows sensitive operational detail to remain outside the published CPS.
  • Record open findings with the affected requirement, evidence gap, corrective-action owner, and retest evidence rather than closing them with a certification label alone.
Citations
Recommended next step

Build an assessor-ready ETSI EN 319 411-1 evidence file

Use this FAQ as the starting structure for CP/CPS traceability, sampled records, evidence owners, findings, and retained audit files.

Assessment workflow
Turn the answer into controls

Convert the guidance into accountable tasks, evidence requests, and review milestones.

Explore next step
Research workflow
Ask a scoped follow-up

Use cited research support when scope, source interpretation, or evidence ownership is unclear.

Explore next step
Talk to Sorena
Talk through implementation

Review scope, evidence, owners, and the next compliance actions with Sorena.

Explore next step
Question 2

What evidence should support certification audit evidence under ETSI EN 319 411-1?

The core evidence should prove operation of the certificate service, not just document intent. For registration, keep application and identity-validation records, subscriber-agreement evidence, the accepting entity, validation method, RA handoff, and the location of supporting documents. For certificate lifecycle events, keep certificate requests, accuracy and authorization checks, issuance links to registration, renewal, re-key, modification, and dissemination evidence.

For revocation and status services, retain authenticated revocation requests, event reports, resulting actions, timing evidence, CRL or OCSP publication records, and exception records where confirmation or publication timing could not be met. For CA keys, keep key lifecycle logs and ceremony evidence, including the ceremony requirements and collected evidence for CA key generation or installation.

  • Registration evidence: certificate application, identity and attribute validation, proof of possession or control, subscriber authorization, subscriber agreement, and RA transfer records.
  • Certificate lifecycle evidence: request source, completeness checks, issuance record, certificate profile and CP identifier, renewal/re-key/modification checks, and dissemination evidence.
  • Revocation evidence: authenticated request or report, authorization check, status-change timing, exception justification, CRL or OCSP publication, and relying-party status availability.
  • Operations evidence: security-event logs, registration logs, certificate lifecycle logs, CA key lifecycle logs, archive access controls, and retention proof.
Citations
Question 3

How should teams package the evidence for assessment?

Package the file so the assessor can sample without reconstructing the service from scratch. Use one index for scope and documents, one matrix for EN 319 411-1 requirement IDs, and separate folders for registration, certificate lifecycle, revocation/status, CA key management, audit logs, records archival, supplier or RA evidence, and corrective actions.

Retention should be explicit. EN 319 411-1 source material identifies a record retention period of at least seven years after any certificate based on those records ceases to be valid, so evidence indexes should show the retention rule, archive location, integrity control, and access path for historical records.

  • Index public documents separately from confidential procedures: CP, CPS, terms and conditions, PKI disclosure statement, repository URLs, and certificate policy identifiers.
  • For each sampled requirement, keep the request, artifact, owner, time period, system or repository location, and assessor conclusion in the same evidence row.
  • Flag reused evidence from previous certifications or third-party evaluations with scope, date, scheme, test report, and assessor verification status.
  • Keep remediation evidence separate from original operating evidence so the audit trail shows both the finding and the corrective action.
Citations
Primary sources

References and citations

Related guides

Explore more topics

CP vs CPS under ETSI EN 319 411-1
Understand how ETSI EN 319 411-1 separates Certificate Policy from Certification Practice Statement work for certification authorities and trust service providers.
EN 319 411-1 vs EN 319 411-2 Certificate Policy
Compare ETSI EN 319 411-1 general certificate-service requirements with EN 319 411-2 EU qualified certificate requirements, including policy scope, CP/CPS evidence, and audit boundaries.
ETSI EN 319 411-1 Audit File Evidence
Build an ETSI EN 319 411-1 audit evidence file for CA logging, registration records, revocation records, CA key lifecycle evidence, and records archival.
ETSI EN 319 411-1 CA Key Management
CA key management guidance for ETSI EN 319 411-1: CPS commitments, key ceremonies, secure cryptographic devices, backup, recovery, and lifecycle evidence.
ETSI EN 319 411-1 certificate lifecycle workflow
Workflow for EN 319 411-1 certificate application, issuance, acceptance, renewal, re-key, modification, revocation, suspension, status services, and evidence records.
ETSI EN 319 411-1 certificate re-key FAQ
What ETSI EN 319 411-1 requires when a TSP re-keys an existing certificate with a new subject public key.
ETSI EN 319 411-1 Certificate Suspension FAQ
How CAs should handle certificate suspension under ETSI EN 319 411-1: CPS disclosure, validated requests, status publication, subscriber notice, and audit evidence.
ETSI EN 319 411-1 Compliance Guide
Build an ETSI EN 319 411-1 compliance file for certificate policies, CPS commitments, certificate lifecycle controls, revocation services, CA keys, and audit evidence.
ETSI EN 319 411-1 CP and CPS template
Build a certificate policy and Certification Practice Statement template for ETSI EN 319 411-1 certificate services, with fields for policy identifiers, subscribers, relying parties, revocation, publication, and evidence.
ETSI EN 319 411-1 FAQ for Certificate Services
Answers to common ETSI EN 319 411-1 questions on certificate policies, CPS content, CA and RA boundaries, subscriber evidence, revocation, status services, and record retention.
ETSI EN 319 411-1 Identity Validation
Identity validation requirements in ETSI EN 319 411-1 for subscribers, subjects, RAs, certificate requests, registration evidence, and issuance records.
ETSI EN 319 411-1 Identity Validation Evidence Workflow
A workflow for building ETSI EN 319 411-1 identity validation evidence packs across subscriber, subject, certificate request, RA, logging, and retention controls.
ETSI EN 319 411-1 RA Delegation Guide
How to scope registration authority delegation under ETSI EN 319 411-1, including delegated RA tasks, external provider controls, registration records, and audit evidence.
ETSI EN 319 411-1 RA Delegation Review Workflow
Review delegated registration authority work under ETSI EN 319 411-1: retained CA responsibility, recognized registration service providers, secure data exchange, CPS coverage, and audit evidence.
ETSI EN 319 411-1 requirements map for certificate services
Map ETSI EN 319 411-1 requirements for certificate policies, CP/CPS content, registration, revocation, certificate status, and CA key-management evidence.
ETSI EN 319 411-1 Revocation Evidence Workflow
Build a revocation evidence workflow for ETSI EN 319 411-1 covering CPS procedures, request authentication, 24-hour status updates, CRL/OCSP publication, logs, and retention.
ETSI EN 319 411-1 Revocation, OCSP, and CRL Operations
Operate ETSI EN 319 411-1 revocation status services with CPS procedures, authenticated requests, 24-hour CRL or OCSP publication controls, and audit evidence.
ETSI EN 319 411-1 vs CA/B Forum Baseline Requirements
Compare how EN 319 411-1 incorporates CA/B Forum BRG concepts for DVCP, OVCP, IVCP, [WEB] requirements, CPS disclosure, domain validation, and conflict handling.
How should certificate authorities handle revocation evidence under ETSI EN 319 411-1?
What ETSI EN 319 411-1 expects CAs to evidence for certificate revocation requests, status publication, CRL or OCSP updates, and archived revocation records.
RA delegation under ETSI EN 319 411-1
How certificate authorities can delegate registration authority work under ETSI EN 319 411-1 while keeping identity validation, secure data exchange, role controls, and audit evidence traceable.
Subscriber agreements under ETSI EN 319 411-1
How ETSI EN 319 411-1 expects CAs and TSPs to inform subscribers, record acceptance, handle subject consent, and retain subscriber-agreement evidence.
Subscriber identity validation under ETSI EN 319 411-1
How certificate authorities should validate subscriber and subject identity under ETSI EN 319 411-1, including evidence, authorization, subject categories, and registration records.