---
title: "ETSI EN 319 411-1 Certification Audit Evidence FAQ"
canonical_url: "https://www.sorena.io/artifacts/global/etsi-en-319-411-1/faq/certification-audit-evidence"
source_url: "https://www.sorena.io/artifacts/global/etsi-en-319-411-1/faq/certification-audit-evidence"
author: "Sorena AI"
description: "How CAs should prepare ETSI EN 319 411-1 audit evidence for CP/CPS scope, registration records, revocation records, CA key logs, and retained assessment files."
published_at: "2026-05-09"
updated_at: "2026-05-09"
keywords:
  - "ETSI EN 319 411-1 audit evidence"
  - "CP/CPS evidence"
  - "certificate authority audit"
  - "TSP records"
  - "ETSI EN 319 411-1"
  - "certification audit evidence"
  - "FAQ"
---
**[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform

[Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io)

---

# ETSI EN 319 411-1 Certification Audit Evidence FAQ

How CAs should prepare ETSI EN 319 411-1 audit evidence for CP/CPS scope, registration records, revocation records, CA key logs, and retained assessment files.

*Artifact Guide* *GLOBAL* *ETSI EN 319 411-1*

## ETSI EN 319 411-1 How should certificate authorities handle certification audit evidence under ETSI EN 319 411-1

A focused answer for CAs and TSP teams preparing evidence for an ETSI EN 319 411-1 assessment.

Use it to structure assessor-ready evidence without exposing confidential operating procedures in public-facing material.

Short answer: keep certification audit evidence as a traceable file that connects the assessed CA service, certificate policy, CPS, assessment period, requirement identifiers, and retained operational records. ETSI EN 319 411-1 points auditors toward the CP/CPS, registration and certificate-lifecycle evidence, revocation evidence, audit logs, records archival, CA key lifecycle records, and the conformity assessment checklist rather than a generic compliance binder.

## How should certificate authorities handle certification audit evidence under ETSI EN 319 411-1?

Start with the audit boundary. The evidence file should identify the TSP or CA service being assessed, the applicable certificate policy, the CPS version, the certificate profiles and policy OIDs in use, the assessment period, and whether registration, certificate generation, dissemination, revocation management, revocation status, and subject-device provisioning are in scope.

Then map the file to requirement identifiers and operating records. EN 319 411-1 uses requirement IDs such as REG, GEN, REV, CSS, DIS, SDP, and OVR, and Annex B points to the conformity assessment checklist. An assessor should be able to follow each sampled requirement from the CP/CPS commitment to the retained record that proves operation during the assessment period.

- Keep a scope sheet naming the CA hierarchy, certificate policies, certificate profiles, repository locations, revocation-status methods, RAs, outsourced components, and excluded services.
- Trace each evidence request to the CP/CPS clause, EN 319 411-1 requirement ID, assessed period, record owner, evidence location, and sampling result.
- Separate public CP/CPS and terms from confidential procedure evidence; EN 319 411-1 allows sensitive operational detail to remain outside the published CPS.
- Record open findings with the affected requirement, evidence gap, corrective-action owner, and retest evidence rather than closing them with a certification label alone.

Sources for this answer:

- [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Supports using the CP, CPS, service components, requirement identifiers, and Annex B checklist as the structure for audit evidence.
- [ETSI EN 319 401 V3.1.1 general policy requirements for TSPs](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Clause 7.10 supports retaining accessible, confidential, integrity-protected operational records for evidence and service continuity.

## What evidence should support certification audit evidence under ETSI EN 319 411-1?

The core evidence should prove operation of the certificate service, not just document intent. For registration, keep application and identity-validation records, subscriber-agreement evidence, the accepting entity, validation method, RA handoff, and the location of supporting documents. For certificate lifecycle events, keep certificate requests, accuracy and authorization checks, issuance links to registration, renewal, re-key, modification, and dissemination evidence.

For revocation and status services, retain authenticated revocation requests, event reports, resulting actions, timing evidence, CRL or OCSP publication records, and exception records where confirmation or publication timing could not be met. For CA keys, keep key lifecycle logs and ceremony evidence, including the ceremony requirements and collected evidence for CA key generation or installation.

- Registration evidence: certificate application, identity and attribute validation, proof of possession or control, subscriber authorization, subscriber agreement, and RA transfer records.
- Certificate lifecycle evidence: request source, completeness checks, issuance record, certificate profile and CP identifier, renewal/re-key/modification checks, and dissemination evidence.
- Revocation evidence: authenticated request or report, authorization check, status-change timing, exception justification, CRL or OCSP publication, and relying-party status availability.
- Operations evidence: security-event logs, registration logs, certificate lifecycle logs, CA key lifecycle logs, archive access controls, and retention proof.

Sources for this answer:

- [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Supports the listed evidence categories for registration, certificate application processing, certificate issuance, revocation, status services, audit logging, and CA key lifecycle records.
- [ETSI EN 319 401 V3.1.1 general policy requirements for TSPs](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Supports keeping general TSP operational evidence for access control, backup, continuity, incident handling, termination planning, and supplier arrangements where they affect the assessed service.

## How should teams package the evidence for assessment?

Package the file so the assessor can sample without reconstructing the service from scratch. Use one index for scope and documents, one matrix for EN 319 411-1 requirement IDs, and separate folders for registration, certificate lifecycle, revocation/status, CA key management, audit logs, records archival, supplier or RA evidence, and corrective actions.

Retention should be explicit. EN 319 411-1 source material identifies a record retention period of at least seven years after any certificate based on those records ceases to be valid, so evidence indexes should show the retention rule, archive location, integrity control, and access path for historical records.

- Index public documents separately from confidential procedures: CP, CPS, terms and conditions, PKI disclosure statement, repository URLs, and certificate policy identifiers.
- For each sampled requirement, keep the request, artifact, owner, time period, system or repository location, and assessor conclusion in the same evidence row.
- Flag reused evidence from previous certifications or third-party evaluations with scope, date, scheme, test report, and assessor verification status.
- Keep remediation evidence separate from original operating evidence so the audit trail shows both the finding and the corrective action.

Sources for this answer:

- [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Supports packaging evidence by CP/CPS, service component, retained records, assessment checklist, and seven-year retention after certificate validity ends.
- [ETSI EN 319 401 V3.1.1 general policy requirements for TSPs](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Supports retaining general trust-service records and evidence needed to show legal, trustworthy, secure, continuous, and supplier-controlled operation.

## Primary sources

- [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Primary ETSI source for the page's CP/CPS, service component, registration, certificate lifecycle, revocation, audit logging, records archival, CA key lifecycle, and conformity-checklist claims.
  - Quote: "Policy and security requirements"
- [ETSI EN 319 401 V3.1.1 general policy requirements for TSPs](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Primary ETSI source for general TSP policy, evidence collection, management, security, continuity, legal, termination, and supplier-control obligations that support certification-service audit evidence.
  - Quote: "General Policy Requirements for Trust Service Providers"

## Topic Guides

- [CP vs CPS under ETSI EN 319 411-1](/artifacts/global/etsi-en-319-411-1/faq/cp-vs-cps.md): Understand how ETSI EN 319 411-1 separates Certificate Policy from Certification Practice Statement work for certification authorities and trust service providers.
- [EN 319 411-1 vs EN 319 411-2 Certificate Policy](/artifacts/global/etsi-en-319-411-1/en-319-411-1-vs-en-319-411-2.md): Compare ETSI EN 319 411-1 general certificate-service requirements with EN 319 411-2 EU qualified certificate requirements, including policy scope, CP/CPS evidence, and audit boundaries.
- [ETSI EN 319 411-1 Audit File Evidence](/artifacts/global/etsi-en-319-411-1/audit-file-evidence.md): Build an ETSI EN 319 411-1 audit evidence file for CA logging, registration records, revocation records, CA key lifecycle evidence, and records archival.
- [ETSI EN 319 411-1 CA Key Management](/artifacts/global/etsi-en-319-411-1/ca-key-management.md): CA key management guidance for ETSI EN 319 411-1: CPS commitments, key ceremonies, secure cryptographic devices, backup, recovery, and lifecycle evidence.
- [ETSI EN 319 411-1 certificate lifecycle workflow](/artifacts/global/etsi-en-319-411-1/certificate-lifecycle-workflow.md): Workflow for EN 319 411-1 certificate application, issuance, acceptance, renewal, re-key, modification, revocation, suspension, status services, and evidence records.
- [ETSI EN 319 411-1 certificate re-key FAQ](/artifacts/global/etsi-en-319-411-1/faq/re-key.md): What ETSI EN 319 411-1 requires when a TSP re-keys an existing certificate with a new subject public key.
- [ETSI EN 319 411-1 Certificate Suspension FAQ](/artifacts/global/etsi-en-319-411-1/faq/suspension.md): How CAs should handle certificate suspension under ETSI EN 319 411-1: CPS disclosure, validated requests, status publication, subscriber notice, and audit evidence.
- [ETSI EN 319 411-1 Compliance Guide](/artifacts/global/etsi-en-319-411-1/compliance.md): Build an ETSI EN 319 411-1 compliance file for certificate policies, CPS commitments, certificate lifecycle controls, revocation services, CA keys, and audit evidence.
- [ETSI EN 319 411-1 CP and CPS template](/artifacts/global/etsi-en-319-411-1/cp-and-cps-template.md): Build a certificate policy and Certification Practice Statement template for ETSI EN 319 411-1 certificate services, with fields for policy identifiers, subscribers, relying parties, revocation, publication, and evidence.
- [ETSI EN 319 411-1 FAQ for Certificate Services](/artifacts/global/etsi-en-319-411-1/faq.md): Answers to common ETSI EN 319 411-1 questions on certificate policies, CPS content, CA and RA boundaries, subscriber evidence, revocation, status services, and record retention.
- [ETSI EN 319 411-1 Identity Validation](/artifacts/global/etsi-en-319-411-1/identity-validation.md): Identity validation requirements in ETSI EN 319 411-1 for subscribers, subjects, RAs, certificate requests, registration evidence, and issuance records.
- [ETSI EN 319 411-1 Identity Validation Evidence Workflow](/artifacts/global/etsi-en-319-411-1/identity-validation-evidence-workflow.md): A workflow for building ETSI EN 319 411-1 identity validation evidence packs across subscriber, subject, certificate request, RA, logging, and retention controls.
- [ETSI EN 319 411-1 RA Delegation Guide](/artifacts/global/etsi-en-319-411-1/ra-delegation.md): How to scope registration authority delegation under ETSI EN 319 411-1, including delegated RA tasks, external provider controls, registration records, and audit evidence.
- [ETSI EN 319 411-1 RA Delegation Review Workflow](/artifacts/global/etsi-en-319-411-1/ra-delegation-review-workflow.md): Review delegated registration authority work under ETSI EN 319 411-1: retained CA responsibility, recognized registration service providers, secure data exchange, CPS coverage, and audit evidence.
- [ETSI EN 319 411-1 requirements map for certificate services](/artifacts/global/etsi-en-319-411-1/requirements.md): Map ETSI EN 319 411-1 requirements for certificate policies, CP/CPS content, registration, revocation, certificate status, and CA key-management evidence.
- [ETSI EN 319 411-1 Revocation Evidence Workflow](/artifacts/global/etsi-en-319-411-1/revocation-evidence-workflow.md): Build a revocation evidence workflow for ETSI EN 319 411-1 covering CPS procedures, request authentication, 24-hour status updates, CRL/OCSP publication, logs, and retention.
- [ETSI EN 319 411-1 Revocation, OCSP, and CRL Operations](/artifacts/global/etsi-en-319-411-1/revocation-ocsp-and-crl-operations.md): Operate ETSI EN 319 411-1 revocation status services with CPS procedures, authenticated requests, 24-hour CRL or OCSP publication controls, and audit evidence.
- [ETSI EN 319 411-1 vs CA/B Forum Baseline Requirements](/artifacts/global/etsi-en-319-411-1/en-319-411-1-vs-ca-browser-forum-baseline-requirements.md): Compare how EN 319 411-1 incorporates CA/B Forum BRG concepts for DVCP, OVCP, IVCP, [WEB] requirements, CPS disclosure, domain validation, and conflict handling.
- [How should certificate authorities handle revocation evidence under ETSI EN 319 411-1?](/artifacts/global/etsi-en-319-411-1/faq/revocation-evidence.md): What ETSI EN 319 411-1 expects CAs to evidence for certificate revocation requests, status publication, CRL or OCSP updates, and archived revocation records.
- [RA delegation under ETSI EN 319 411-1](/artifacts/global/etsi-en-319-411-1/faq/ra-delegation.md): How certificate authorities can delegate registration authority work under ETSI EN 319 411-1 while keeping identity validation, secure data exchange, role controls, and audit evidence traceable.
- [Subscriber agreements under ETSI EN 319 411-1](/artifacts/global/etsi-en-319-411-1/faq/subscriber-agreements.md): How ETSI EN 319 411-1 expects CAs and TSPs to inform subscribers, record acceptance, handle subject consent, and retain subscriber-agreement evidence.
- [Subscriber identity validation under ETSI EN 319 411-1](/artifacts/global/etsi-en-319-411-1/faq/subscriber-identity-validation.md): How certificate authorities should validate subscriber and subject identity under ETSI EN 319 411-1, including evidence, authorization, subject categories, and registration records.

*Recommended next step*

*Placement: after practical guidance*

## Build an assessor-ready ETSI EN 319 411-1 evidence file

Use this FAQ as the starting structure for CP/CPS traceability, sampled records, evidence owners, findings, and retained audit files.

- [Turn the answer into controls](/solutions/assessment.md): Convert the guidance into accountable tasks, evidence requests, and review milestones.
- [Ask a scoped follow-up](/solutions/research-copilot.md): Use cited research support when scope, source interpretation, or evidence ownership is unclear.
- [Talk through implementation](/contact.md): Review scope, evidence, owners, and the next compliance actions with Sorena.


---

[Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us)

(c) 2026 Sorena AB (559573-7338). All rights reserved.

Source: https://www.sorena.io/artifacts/global/etsi-en-319-411-1/faq/certification-audit-evidence