--- title: "CP vs CPS under ETSI EN 319 411-1" canonical_url: "https://www.sorena.io/artifacts/global/etsi-en-319-411-1/faq/cp-vs-cps" source_url: "https://www.sorena.io/artifacts/global/etsi-en-319-411-1/faq/cp-vs-cps" author: "Sorena AI" description: "Understand how ETSI EN 319 411-1 separates Certificate Policy from Certification Practice Statement work for certification authorities and trust service providers." published_at: "2026-05-09" updated_at: "2026-05-09" keywords: - "ETSI EN 319 411-1 CP CPS" - "Certificate Policy" - "Certification Practice Statement" - "certificate authority policy" - "ETSI EN 319 411-1" - "CP/CPS" - "certificate authority" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # CP vs CPS under ETSI EN 319 411-1 Understand how ETSI EN 319 411-1 separates Certificate Policy from Certification Practice Statement work for certification authorities and trust service providers. *Artifact Guide* *GLOBAL* *ETSI EN 319 411-1* ## ETSI EN 319 411-1 CP vs CPS under ETSI EN 319 411-1 A focused FAQ for certification authorities separating Certificate Policy commitments from Certification Practice Statement implementation evidence under ETSI EN 319 411-1. Use it to align certificate policy identifiers, subscriber-facing documentation, CPS ownership, and audit evidence without exposing confidential operating procedures. Under ETSI EN 319 411-1, a Certificate Policy (CP) describes what certificate requirements and applicability rules are being adhered to; a Certification Practice Statement (CPS) describes how the certification authority implements those requirements in its own organization, procedures, facilities, and systems. A CA should keep both connected, but it should not treat them as interchangeable documents. ## Certificate Policy vs Certification Practice Statement Compare CP and CPS responsibilities under ETSI EN 319 411-1 by purpose, ownership, publication, certificate linkage, evidence, and update triggers. - **Certificate Policy (CP)**: Defines what certificate policy requirements, quality level, applicability, profile, and policy identifier apply to the certificate service or certificate community. - **Certification Practice Statement (CPS)**: Explains how the TSP-owned certification authority service implements the CP through operational, technical, organizational, and procedural practices. | Dimension | Certificate Policy (CP) | Certification Practice Statement (CPS) | Operational implication | Sources | | --- | --- | --- | --- | --- | | Scope | States what requirements and applicability rules are adhered to for the certificate policy, including certificate quality, profile, and intended use. | States how the CA operates its service to meet those policy requirements, including implementation practices for issuing, managing, revoking, renewing, or re-keying certificates. | Identify whether the document is setting policy (what must be done) or procedure (how it is done) before deciding which one to create or update. | [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Grounds the EN 319 411-1 scope, CP/CPS model, DVCP/OVCP/IVCP relationship to BRG, certificate policy and CPS obligations. | | Covered actors | Can be defined by the TSP, ETSI, governments, subscribers, users of certification services, or another community that sets common rules. | Is developed, implemented, enforced, updated, and owned by the TSP issuing certificates. | Determine whether the document is addressed to external parties (CP) or internal operators (CPS) to decide who must approve and maintain it. | [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Grounds the EN 319 411-1 scope, CP/CPS model, DVCP/OVCP/IVCP relationship to BRG, certificate policy and CPS obligations. | | Trigger | A CP review or update is triggered when the certificate policy claim changes: the policy OID, applicability rules, certificate profile requirements, assurance level, adopted ETSI policy basis, or the subscriber and relying-party community described in the CP. | A CPS review or update is triggered when the TSP changes how it implements the CP: registration procedures, identity validation methods, revocation handling, repository practices, key-management controls, external support arrangements, or any practice relying parties or subscribers depend on. | Distinguish between a policy change (edit CP) and an implementation change (edit CPS); a policy OID change always requires a CP revision. | [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Grounds the EN 319 411-1 scope, CP/CPS model, DVCP/OVCP/IVCP relationship to BRG, certificate policy and CPS obligations. | | Core obligations | May be a standalone policy document or may be provided as part of the CPS and/or general terms and conditions. | Can reference lower-level operational procedures, while the published CPS can omit confidential internal details not useful to subscribers or relying parties. | Check whether the publication obligation applies to the CP, the CPS, or both; some obligations may be met by publishing a combined CP/CPS document. | [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Grounds the EN 319 411-1 scope, CP/CPS model, DVCP/OVCP/IVCP relationship to BRG, certificate policy and CPS obligations. | | Evidence | Is identified through documentation for subscribers and relying parties and through certificate policy identifiers that may appear in certificates. | Shows how the CA implements the identified CP, including where subscribers or relying parties can find the practices behind the policy claim. | Cross-reference the CP clause number in the CPS to show that each policy requirement is implemented; auditors verify the CPS against the CP. | [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Grounds the EN 319 411-1 scope, CP/CPS model, DVCP/OVCP/IVCP relationship to BRG, certificate policy and CPS obligations. | | Timing | Review when the policy basis, certificate profile, policy identifier, applicability, use restrictions, or community requirements change. | Review when operational practices change, including registration, revocation, repository availability, key management, RA delegation, external support, or security controls. | Set separate review calendars for CP and CPS; the CPS may need more frequent updates due to operational changes. | [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Grounds the EN 319 411-1 scope, CP/CPS model, DVCP/OVCP/IVCP relationship to BRG, certificate policy and CPS obligations. | | Enforcement | A CP must be approved by a management body, assigned a policy administrator, and made available to subscribers and relying parties. EN 319 401 expects approval authority and maintenance responsibilities for each practice statement to be defined and documented. | A CPS must be approved by the TSP management body, published online on a continuous basis, and updated when practices change in ways that may affect subscriber or relying-party acceptance. EN 319 401 requires notice when CPS changes could affect service acceptance. | Confirm that both CP and CPS are approved by the TSP management body and that the CPS references the applicable CP OID. | [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Grounds the EN 319 411-1 scope, CP/CPS model, DVCP/OVCP/IVCP relationship to BRG, certificate policy and CPS obligations. | | Overlap | Both CP and CPS require version control, management approval, and alignment with the certificate profile, policy identifier, and subscriber-facing obligations. Changes to either can affect certificate suitability assessments and audit evidence boundaries. | Both CP and CPS must remain consistent with each other and with certificate profiles, RA delegation scope, and certificate lifecycle controls. The IETF RFC 3647 framework referenced by EN 319 411-1 structures both documents using a common set of headings. | Treat version control and certificate-profile alignment as shared obligations; maintain a traceability matrix linking CP requirements to CPS procedures. | [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Grounds the EN 319 411-1 scope, CP/CPS model, DVCP/OVCP/IVCP relationship to BRG, certificate policy and CPS obligations. | | Decision rule | Edit the CP when the certificate policy claim itself changes: the policy OID, the applicability rules, the certificate profile requirements, the assurance level, the use restrictions, or the adopted ETSI policy basis such as LCP, NCP, DVCP, OVCP, IVCP, or EVCP. | Edit the CPS when the CA changes how it implements the CP: registration procedure, identity validation method, revocation handling, repository publication practice, key management control, external support arrangement, management approval process, or any practice that subscribers or relying parties depend on. | Use the policy OID and applicability description as the dividing line: CP owns the policy claim, CPS owns the implementation narrative. | [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Grounds the EN 319 411-1 scope, CP/CPS model, DVCP/OVCP/IVCP relationship to BRG, certificate policy and CPS obligations. | Sources for Scope - Certificate Policy (CP): - [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Grounds the EN 319 411-1 scope, CP/CPS model, DVCP/OVCP/IVCP relationship to BRG, certificate policy and CPS obligations. Sources for Scope - Certification Practice Statement (CPS): - [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Grounds the EN 319 411-1 scope, CP/CPS model, DVCP/OVCP/IVCP relationship to BRG, certificate policy and CPS obligations. Sources for Scope - operational implication: - [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Grounds the EN 319 411-1 scope, CP/CPS model, DVCP/OVCP/IVCP relationship to BRG, certificate policy and CPS obligations. Sources for Covered actors - Certificate Policy (CP): - [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Grounds the EN 319 411-1 scope, CP/CPS model, DVCP/OVCP/IVCP relationship to BRG, certificate policy and CPS obligations. Sources for Covered actors - Certification Practice Statement (CPS): - [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Grounds the EN 319 411-1 scope, CP/CPS model, DVCP/OVCP/IVCP relationship to BRG, certificate policy and CPS obligations. Sources for Covered actors - operational implication: - [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Grounds the EN 319 411-1 scope, CP/CPS model, DVCP/OVCP/IVCP relationship to BRG, certificate policy and CPS obligations. Sources for Trigger - Certificate Policy (CP): - [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Grounds the EN 319 411-1 scope, CP/CPS model, DVCP/OVCP/IVCP relationship to BRG, certificate policy and CPS obligations. Sources for Trigger - Certification Practice Statement (CPS): - [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Grounds the EN 319 411-1 scope, CP/CPS model, DVCP/OVCP/IVCP relationship to BRG, certificate policy and CPS obligations. Sources for Trigger - operational implication: - [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Grounds the EN 319 411-1 scope, CP/CPS model, DVCP/OVCP/IVCP relationship to BRG, certificate policy and CPS obligations. Sources for Core obligations - Certificate Policy (CP): - [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Grounds the EN 319 411-1 scope, CP/CPS model, DVCP/OVCP/IVCP relationship to BRG, certificate policy and CPS obligations. Sources for Core obligations - Certification Practice Statement (CPS): - [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Grounds the EN 319 411-1 scope, CP/CPS model, DVCP/OVCP/IVCP relationship to BRG, certificate policy and CPS obligations. Sources for Core obligations - operational implication: - [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Grounds the EN 319 411-1 scope, CP/CPS model, DVCP/OVCP/IVCP relationship to BRG, certificate policy and CPS obligations. Sources for Evidence - Certificate Policy (CP): - [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Grounds the EN 319 411-1 scope, CP/CPS model, DVCP/OVCP/IVCP relationship to BRG, certificate policy and CPS obligations. Sources for Evidence - Certification Practice Statement (CPS): - [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Grounds the EN 319 411-1 scope, CP/CPS model, DVCP/OVCP/IVCP relationship to BRG, certificate policy and CPS obligations. Sources for Evidence - operational implication: - [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Grounds the EN 319 411-1 scope, CP/CPS model, DVCP/OVCP/IVCP relationship to BRG, certificate policy and CPS obligations. Sources for Timing - Certificate Policy (CP): - [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Grounds the EN 319 411-1 scope, CP/CPS model, DVCP/OVCP/IVCP relationship to BRG, certificate policy and CPS obligations. Sources for Timing - Certification Practice Statement (CPS): - [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Grounds the EN 319 411-1 scope, CP/CPS model, DVCP/OVCP/IVCP relationship to BRG, certificate policy and CPS obligations. Sources for Timing - operational implication: - [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Grounds the EN 319 411-1 scope, CP/CPS model, DVCP/OVCP/IVCP relationship to BRG, certificate policy and CPS obligations. Sources for Enforcement - Certificate Policy (CP): - [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Grounds the EN 319 411-1 scope, CP/CPS model, DVCP/OVCP/IVCP relationship to BRG, certificate policy and CPS obligations. Sources for Enforcement - Certification Practice Statement (CPS): - [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Grounds the EN 319 411-1 scope, CP/CPS model, DVCP/OVCP/IVCP relationship to BRG, certificate policy and CPS obligations. Sources for Enforcement - operational implication: - [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Grounds the EN 319 411-1 scope, CP/CPS model, DVCP/OVCP/IVCP relationship to BRG, certificate policy and CPS obligations. Sources for Overlap - Certificate Policy (CP): - [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Grounds the EN 319 411-1 scope, CP/CPS model, DVCP/OVCP/IVCP relationship to BRG, certificate policy and CPS obligations. Sources for Overlap - Certification Practice Statement (CPS): - [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Grounds the EN 319 411-1 scope, CP/CPS model, DVCP/OVCP/IVCP relationship to BRG, certificate policy and CPS obligations. Sources for Overlap - operational implication: - [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Grounds the EN 319 411-1 scope, CP/CPS model, DVCP/OVCP/IVCP relationship to BRG, certificate policy and CPS obligations. Sources for Decision rule - Certificate Policy (CP): - [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Grounds the EN 319 411-1 scope, CP/CPS model, DVCP/OVCP/IVCP relationship to BRG, certificate policy and CPS obligations. Sources for Decision rule - Certification Practice Statement (CPS): - [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Grounds the EN 319 411-1 scope, CP/CPS model, DVCP/OVCP/IVCP relationship to BRG, certificate policy and CPS obligations. Sources for Decision rule - operational implication: - [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Grounds the EN 319 411-1 scope, CP/CPS model, DVCP/OVCP/IVCP relationship to BRG, certificate policy and CPS obligations. ### How should a CA decide whether to edit the CP or the CPS? - Edit the CP when the certificate policy claim changes: policy OID, applicability, certificate profile, assurance level, use restriction, or adopted ETSI policy basis. - Edit the CPS when the CA implementation changes: procedure, control, repository practice, validation method, revocation handling, external support arrangement, approval, or publication practice. - Review both documents after new certificate profiles, RA delegation changes, CA key lifecycle changes, external support changes, or audit findings that affect either the policy or its implementation. - Keep the CP and CPS traceable to each other by version: the CPS should name the CP it implements, and each CP clause should map to a CPS clause or an internal procedure reference. Sources for the practical decision rule: - [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Defines the CP/CPS relationship for certification authorities: CP states what certificate policy requirements apply, while the CPS states how the TSP implements and maintains them. - Quote: "what is to be adhered to" - [ETSI EN 319 401 V3.1.1 general policy requirements for TSPs](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Supports the trust-service practice statement obligations for approval, availability, maintenance responsibilities, external supporting organizations, and change notice. - Quote: "trust service practice statement" - [IETF RFC 3647 certificate policy and CPS framework](https://www.rfc-editor.org/rfc/rfc3647?ref=sorena.io) - Referenced by ETSI EN 319 411-1 for certificate policy identifiers and the CP/CPS framework used by certificate authorities. - Quote: "Certificate Policy and Certification Practices Framework" ## What is the practical difference between a CP and a CPS? The CP is the policy layer. It identifies the certificate policy, quality level, profile, applicability, and requirements that apply to a certificate service or certificate community. ETSI EN 319 411-1 notes that a CP can be defined by the TSP, ETSI, a government, customers, or another community, and that it can be standalone or included within practice statements or terms and conditions. The CPS is the implementation layer. It is owned by the TSP issuing certificates and explains how that TSP operates the service, including the technical, organizational, and procedural practices used to meet the CP. The CPS can point to lower-level operating procedures, but those detailed procedures may remain confidential when they are internal and proprietary. - Use the CP to state the certificate policy being followed, including policy identifiers, applicability, certificate profile expectations, and any adopted ETSI policy such as LCP, NCP, NCP+, DVCP, OVCP, IVCP, or EVCP where relevant. - Use the CPS to explain how the CA implements the CP through registration, issuance, revocation, repository, key-management, security, and records practices. - Keep subscriber and relying-party documentation clear enough to show which CP applies and where the CPS, terms, or disclosure statement explain implementation details. Sources for this answer: - [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Defines the CP/CPS relationship for certification authorities: CP states what certificate policy requirements apply, while the CPS states how the TSP implements and maintains them. - [ETSI EN 319 401 V3.1.1 general policy requirements for TSPs](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Supports the trust-service practice statement obligations for approval, availability, maintenance responsibilities, external supporting organizations, and change notice. ## How should a CA keep CP and CPS evidence aligned? Start with a traceability map from each applicable CP requirement to the CPS clause, operating record, or confidential procedure that implements it. This is especially important where certificates carry a CP identifier, because relying parties may use that identifier to judge certificate suitability and trustworthiness. Do not publish sensitive operating details just to prove alignment. ETSI EN 319 411-1 allows low-level operational procedures to remain internal; the public CPS can be limited to information useful for subscribers, subjects, and relying parties, with confidential evidence available for process review. - Record the CP identifier, certificate type, target subscribers or subjects, relying-party use, and certificate profile assumptions. - Link each CP commitment to the CPS clause that explains the CA practice and to the evidence record that proves the practice operated during the review period. - Separate public CPS wording from internal procedures such as access lists, location details, task assignments, HSM handling steps, and audit logs. Sources for this answer: - [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Defines the CP/CPS relationship for certification authorities: CP states what certificate policy requirements apply, while the CPS states how the TSP implements and maintains them. - [IETF RFC 3647 certificate policy and CPS framework](https://www.rfc-editor.org/rfc/rfc3647?ref=sorena.io) - Referenced by ETSI EN 319 411-1 for certificate policy identifiers and the CP/CPS framework used by certificate authorities. ## When should the CP or CPS be updated? Update the CP when the policy itself changes: certificate applicability, policy OID, certificate profile requirements, assurance level, adopted ETSI policy basis, or the community rules that subscribers and relying parties rely on. Update the CPS when the CA changes how it implements the policy, such as identity validation processes, revocation handling, repository availability, RA arrangements, CA key controls, or supporting organizations. ETSI EN 319 401 also expects a management body to approve the practice statement, responsibilities for maintaining it to be defined, and revised practice statements to be made available after approval. If a CPS change may affect acceptance of the service by subjects, subscribers, or relying parties, notice is part of the governance work. - Treat CP changes as policy-governance changes that may affect certificate claims, OIDs, subscriber terms, relying-party expectations, and audit scope. - Treat CPS changes as operational-governance changes that need approval, version control, publication handling, and evidence that the changed practice is actually in use. - Review CP/CPS alignment after new certificate profiles, RA delegation changes, revocation-process changes, CA key lifecycle changes, external support changes, or audit findings. Sources for this answer: - [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Defines the CP/CPS relationship for certification authorities: CP states what certificate policy requirements apply, while the CPS states how the TSP implements and maintains them. - [ETSI EN 319 401 V3.1.1 general policy requirements for TSPs](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Supports the trust-service practice statement obligations for approval, availability, maintenance responsibilities, external supporting organizations, and change notice. ## Primary sources - [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Defines the CP/CPS relationship for certification authorities: CP states what certificate policy requirements apply, while the CPS states how the TSP implements and maintains them. - Quote: "what is to be adhered to" - [ETSI EN 319 401 V3.1.1 general policy requirements for TSPs](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Supports the trust-service practice statement obligations for approval, availability, maintenance responsibilities, external supporting organizations, and change notice. - Quote: "trust service practice statement" - [IETF RFC 3647 certificate policy and CPS framework](https://www.rfc-editor.org/rfc/rfc3647?ref=sorena.io) - Referenced by ETSI EN 319 411-1 for certificate policy identifiers and the CP/CPS framework used by certificate authorities. - Quote: "Certificate Policy and Certification Practices Framework" ## Topic Guides - [EN 319 411-1 vs EN 319 411-2 Certificate Policy](/artifacts/global/etsi-en-319-411-1/en-319-411-1-vs-en-319-411-2.md): Compare ETSI EN 319 411-1 general certificate-service requirements with EN 319 411-2 EU qualified certificate requirements, including policy scope, CP/CPS evidence, and audit boundaries. - [ETSI EN 319 411-1 Audit File Evidence](/artifacts/global/etsi-en-319-411-1/audit-file-evidence.md): Build an ETSI EN 319 411-1 audit evidence file for CA logging, registration records, revocation records, CA key lifecycle evidence, and records archival. - [ETSI EN 319 411-1 CA Key Management](/artifacts/global/etsi-en-319-411-1/ca-key-management.md): CA key management guidance for ETSI EN 319 411-1: CPS commitments, key ceremonies, secure cryptographic devices, backup, recovery, and lifecycle evidence. - [ETSI EN 319 411-1 certificate lifecycle workflow](/artifacts/global/etsi-en-319-411-1/certificate-lifecycle-workflow.md): Workflow for EN 319 411-1 certificate application, issuance, acceptance, renewal, re-key, modification, revocation, suspension, status services, and evidence records. - [ETSI EN 319 411-1 certificate re-key FAQ](/artifacts/global/etsi-en-319-411-1/faq/re-key.md): What ETSI EN 319 411-1 requires when a TSP re-keys an existing certificate with a new subject public key. - [ETSI EN 319 411-1 Certificate Suspension FAQ](/artifacts/global/etsi-en-319-411-1/faq/suspension.md): How CAs should handle certificate suspension under ETSI EN 319 411-1: CPS disclosure, validated requests, status publication, subscriber notice, and audit evidence. - [ETSI EN 319 411-1 Certification Audit Evidence FAQ](/artifacts/global/etsi-en-319-411-1/faq/certification-audit-evidence.md): How CAs should prepare ETSI EN 319 411-1 audit evidence for CP/CPS scope, registration records, revocation records, CA key logs, and retained assessment files. - [ETSI EN 319 411-1 Compliance Guide](/artifacts/global/etsi-en-319-411-1/compliance.md): Build an ETSI EN 319 411-1 compliance file for certificate policies, CPS commitments, certificate lifecycle controls, revocation services, CA keys, and audit evidence. - [ETSI EN 319 411-1 CP and CPS template](/artifacts/global/etsi-en-319-411-1/cp-and-cps-template.md): Build a certificate policy and Certification Practice Statement template for ETSI EN 319 411-1 certificate services, with fields for policy identifiers, subscribers, relying parties, revocation, publication, and evidence. - [ETSI EN 319 411-1 FAQ for Certificate Services](/artifacts/global/etsi-en-319-411-1/faq.md): Answers to common ETSI EN 319 411-1 questions on certificate policies, CPS content, CA and RA boundaries, subscriber evidence, revocation, status services, and record retention. - [ETSI EN 319 411-1 Identity Validation](/artifacts/global/etsi-en-319-411-1/identity-validation.md): Identity validation requirements in ETSI EN 319 411-1 for subscribers, subjects, RAs, certificate requests, registration evidence, and issuance records. - [ETSI EN 319 411-1 Identity Validation Evidence Workflow](/artifacts/global/etsi-en-319-411-1/identity-validation-evidence-workflow.md): A workflow for building ETSI EN 319 411-1 identity validation evidence packs across subscriber, subject, certificate request, RA, logging, and retention controls. - [ETSI EN 319 411-1 RA Delegation Guide](/artifacts/global/etsi-en-319-411-1/ra-delegation.md): How to scope registration authority delegation under ETSI EN 319 411-1, including delegated RA tasks, external provider controls, registration records, and audit evidence. - [ETSI EN 319 411-1 RA Delegation Review Workflow](/artifacts/global/etsi-en-319-411-1/ra-delegation-review-workflow.md): Review delegated registration authority work under ETSI EN 319 411-1: retained CA responsibility, recognized registration service providers, secure data exchange, CPS coverage, and audit evidence. - [ETSI EN 319 411-1 requirements map for certificate services](/artifacts/global/etsi-en-319-411-1/requirements.md): Map ETSI EN 319 411-1 requirements for certificate policies, CP/CPS content, registration, revocation, certificate status, and CA key-management evidence. - [ETSI EN 319 411-1 Revocation Evidence Workflow](/artifacts/global/etsi-en-319-411-1/revocation-evidence-workflow.md): Build a revocation evidence workflow for ETSI EN 319 411-1 covering CPS procedures, request authentication, 24-hour status updates, CRL/OCSP publication, logs, and retention. - [ETSI EN 319 411-1 Revocation, OCSP, and CRL Operations](/artifacts/global/etsi-en-319-411-1/revocation-ocsp-and-crl-operations.md): Operate ETSI EN 319 411-1 revocation status services with CPS procedures, authenticated requests, 24-hour CRL or OCSP publication controls, and audit evidence. - [ETSI EN 319 411-1 vs CA/B Forum Baseline Requirements](/artifacts/global/etsi-en-319-411-1/en-319-411-1-vs-ca-browser-forum-baseline-requirements.md): Compare how EN 319 411-1 incorporates CA/B Forum BRG concepts for DVCP, OVCP, IVCP, [WEB] requirements, CPS disclosure, domain validation, and conflict handling. - [How should certificate authorities handle revocation evidence under ETSI EN 319 411-1?](/artifacts/global/etsi-en-319-411-1/faq/revocation-evidence.md): What ETSI EN 319 411-1 expects CAs to evidence for certificate revocation requests, status publication, CRL or OCSP updates, and archived revocation records. - [RA delegation under ETSI EN 319 411-1](/artifacts/global/etsi-en-319-411-1/faq/ra-delegation.md): How certificate authorities can delegate registration authority work under ETSI EN 319 411-1 while keeping identity validation, secure data exchange, role controls, and audit evidence traceable. - [Subscriber agreements under ETSI EN 319 411-1](/artifacts/global/etsi-en-319-411-1/faq/subscriber-agreements.md): How ETSI EN 319 411-1 expects CAs and TSPs to inform subscribers, record acceptance, handle subject consent, and retain subscriber-agreement evidence. - [Subscriber identity validation under ETSI EN 319 411-1](/artifacts/global/etsi-en-319-411-1/faq/subscriber-identity-validation.md): How certificate authorities should validate subscriber and subject identity under ETSI EN 319 411-1, including evidence, authorization, subject categories, and registration records. *Recommended next step* *Placement: after practical guidance* ## Operationalize CP and CPS traceability under ETSI EN 319 411-1 Use this CP/CPS distinction to map certificate policies to CPS clauses, subscriber-facing documentation, internal procedures, and audit evidence. - [Build the evidence map](/solutions/assessment.md): Map CP requirements to CPS clauses, implementation records, and review owners. - [Check a CP/CPS question](/solutions/research-copilot.md): Research ambiguous policy identifiers, CPS publication boundaries, and source-linked evidence needs. - [Talk through implementation](/contact.md): Review CP scope, CPS wording, confidential procedure boundaries, and audit preparation with Sorena. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/global/etsi-en-319-411-1/faq/cp-vs-cps