--- title: "ETSI EN 319 411-1 FAQ for Certificate Services" canonical_url: "https://www.sorena.io/artifacts/global/etsi-en-319-411-1/faq" source_url: "https://www.sorena.io/artifacts/global/etsi-en-319-411-1/faq/items/page/2" author: "Sorena AI" description: "Answers to common ETSI EN 319 411-1 questions on certificate policies, CPS content, CA and RA boundaries, subscriber evidence, revocation, status services, and record retention." published_at: "2026-05-09" updated_at: "2026-05-09" keywords: - "ETSI EN 319 411-1" - "certificate policy" - "certification practice statement" - "CA operations" - "revocation evidence" - "subscriber validation" - "CPS" - "certificate revocation" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # ETSI EN 319 411-1 FAQ for Certificate Services Answers to common ETSI EN 319 411-1 questions on certificate policies, CPS content, CA and RA boundaries, subscriber evidence, revocation, status services, and record retention. *Artifact Guide* *GLOBAL* *ETSI EN 319 411-1* ## ETSI EN 319 411-1 Certificate Services FAQ Answers for TSP teams applying ETSI EN 319 411-1 to certificate policies, CPS commitments, certificate lifecycle controls, and audit evidence. Grounded in ETSI EN 319 411-1 V1.5.1 and ETSI EN 319 401. Use it as implementation guidance, not for legal interpretation. This FAQ explains how ETSI EN 319 411-1 applies to trust service providers issuing certificates. It focuses on the recurring questions behind certificate policy selection, CPS evidence, CA and RA responsibilities, subscriber validation, revocation, status services, and records that auditors and relying parties expect to trace. ## Browse sub-FAQ modules ### [CP vs CPS under ETSI EN 319 411-1](/artifacts/global/etsi-en-319-411-1/faq/cp-vs-cps.md) Understand how ETSI EN 319 411-1 separates Certificate Policy from Certification Practice Statement work for certification authorities and trust service providers. - 3 items ### [ETSI EN 319 411-1 certificate re-key FAQ](/artifacts/global/etsi-en-319-411-1/faq/re-key.md) What ETSI EN 319 411-1 requires when a TSP re-keys an existing certificate with a new subject public key. - 3 items ### [ETSI EN 319 411-1 Certificate Suspension FAQ](/artifacts/global/etsi-en-319-411-1/faq/suspension.md) How CAs should handle certificate suspension under ETSI EN 319 411-1: CPS disclosure, validated requests, status publication, subscriber notice, and audit evidence. - 3 items ### [ETSI EN 319 411-1 Certification Audit Evidence FAQ](/artifacts/global/etsi-en-319-411-1/faq/certification-audit-evidence.md) How CAs should prepare ETSI EN 319 411-1 audit evidence for CP/CPS scope, registration records, revocation records, CA key logs, and retained assessment files. - 3 items ### [How should certificate authorities handle revocation evidence under ETSI EN 319 411-1?](/artifacts/global/etsi-en-319-411-1/faq/revocation-evidence.md) What ETSI EN 319 411-1 expects CAs to evidence for certificate revocation requests, status publication, CRL or OCSP updates, and archived revocation records. - 3 items ### [RA delegation under ETSI EN 319 411-1](/artifacts/global/etsi-en-319-411-1/faq/ra-delegation.md) How certificate authorities can delegate registration authority work under ETSI EN 319 411-1 while keeping identity validation, secure data exchange, role controls, and audit evidence traceable. - 3 items ### [Subscriber agreements under ETSI EN 319 411-1](/artifacts/global/etsi-en-319-411-1/faq/subscriber-agreements.md) How ETSI EN 319 411-1 expects CAs and TSPs to inform subscribers, record acceptance, handle subject consent, and retain subscriber-agreement evidence. - 3 items ### [Subscriber identity validation under ETSI EN 319 411-1](/artifacts/global/etsi-en-319-411-1/faq/subscriber-identity-validation.md) How certificate authorities should validate subscriber and subject identity under ETSI EN 319 411-1, including evidence, authorization, subject categories, and registration records. - 3 items Browse all indexed questions: [/artifacts/global/etsi-en-319-411-1/faq/items](/artifacts/global/etsi-en-319-411-1/faq/items.md) ## All FAQ items *Page 2 of 2. Showing 4 of 24 items.* ### [What evidence should a CA retain for subscriber agreements?](/artifacts/global/etsi-en-319-411-1/faq/subscriber-agreements.md#what-evidence-should-a-ca-retain-for-subscriber-agreements) *Module: [Subscriber agreements under ETSI EN 319 411-1](/artifacts/global/etsi-en-319-411-1/faq/subscriber-agreements.md)* The evidence should prove the exact agreement, the terms accepted, the person or entity accepting, and the specific choices made during registration. ETSI EN 319 411-1 requires the agreement with the subscriber to be recorded, and, where the subscriber and subject are separate, the subject agreement to be recorded as well. - Retain the signed or electronically accepted subscriber agreement and the version of terms and conditions presented at acceptance. - Keep evidence of the wilful act used for acceptance, such as signature data, acceptance timestamp, account identity, or equivalent trace record. - Record publication consent, secure-cryptographic-device acceptance, certificate-information confirmation, and any other agreement choices that affect issuance or relying-party information. - Retain the agreement records for the period indicated to the subscriber as part of the terms and conditions. Sources for this answer: - [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Requirements REG-6.3.4-07, REG-6.3.4-08, and REG-6.3.4-17 support recorded acceptance and retention of subscriber-agreement records. - [ETSI EN 319 411-1 V1.5.1 registration records requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Requirement REG-6.4.5-04 supports recording the storage location of applications and identification documents, including the subscriber agreement. ### [What must be validated before a certificate is issued?](/artifacts/global/etsi-en-319-411-1/faq/subscriber-identity-validation.md#what-must-be-validated-before-a-certificate-is-issued) *Module: [Subscriber identity validation under ETSI EN 319 411-1](/artifacts/global/etsi-en-319-411-1/faq/subscriber-identity-validation.md)* Clause 6.2.2 starts with a direct rule: the TSP verifies the identity of the subscriber and the subject. It then requires the TSP to collect and validate either direct evidence or an attestation from an appropriate and authorized source for the subject's identity and, where applicable, subject attributes. - Identify whether the subject is a natural person, a natural person linked to a legal person, a legal person or organizational entity, or a device or system operated by or for a natural or legal person. - Collect direct evidence or an authorized-source attestation for the subject identity and any certificate attributes that will be included or relied on. - Check request accuracy, authorization, and completeness before certificate generation uses the registration result. Sources for this answer: - [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Primary source for clause 6.2.2 initial identity validation: subscriber and subject verification, evidence or attestation, registration timing, and request accuracy checks. - [ETSI EN 319 401 V3.1.1 general policy requirements for TSPs](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Supports the records governance behind identity-validation evidence, including accessible records, integrity, confidentiality, and legal-evidence purposes. ### [How does the answer change by subject type?](/artifacts/global/etsi-en-319-411-1/faq/subscriber-identity-validation.md#how-does-the-answer-change-by-subject-type) *Module: [Subscriber identity validation under ETSI EN 319 411-1](/artifacts/global/etsi-en-319-411-1/faq/subscriber-identity-validation.md)* For natural-person subjects under NCP requirements, ETSI EN 319 411-1 expects identity evidence to be checked against the person directly by physical presence, unless a duly mandated subscriber represents the subject, or indirectly using means that provide equivalent assurance. The evidence set includes the person's full name and either date and place of birth, a recognized identity-document reference, or other distinguishing attributes. - Do not use a single identity checklist for every certificate profile; map the requested certificate to the subject type and policy conditions that apply. - When the subscriber and subject are different entities, keep evidence that the subscriber is authorized to act for the subject and, if the subscriber is not a natural person, that a natural person is authorized to represent the subscriber. - For web certificates, use the domain-name and IP-address verification methods in BRG clauses 3.2.2.4 to 3.2.2.9 for the applicable certificate profile, instead of a generic verification path. Sources for this answer: - [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Supports the subject-category split in clauses 5.4.2 and 6.2.2, including natural persons, associated legal persons, legal persons, devices, subscriber authorization, and representative proof. - [Regulation (EU) No 910/2014 (eIDAS)](https://eur-lex.europa.eu/eli/reg/2014/910/oj/eng?ref=sorena.io) - Provides the EU trust-services legal context for certificates and trust service providers where ETSI EN 319 411-1 is used for eIDAS-oriented certification services. ### [What evidence should a CA keep for subscriber identity validation?](/artifacts/global/etsi-en-319-411-1/faq/subscriber-identity-validation.md#what-evidence-should-a-ca-keep-for-subscriber-identity-validation) *Module: [Subscriber identity validation under ETSI EN 319 411-1](/artifacts/global/etsi-en-319-411-1/faq/subscriber-identity-validation.md)* The evidence record should be specific enough to re-perform the validation decision without collecting unnecessary long-term personal data. ETSI EN 319 411-1 requires the TSP to record all information necessary to verify the subject identity and attributes, including any reference number on verification documentation and any limits on its validity. The standard notes that long-term retention may be limited to a reference to the document used, depending on the records obligations and applicable law. - Record the subject type, subscriber-subject relationship, certificate profile, evidence source, validation method, document reference, validity limitations, and request approval. - Keep subscriber contact attributes such as a physical address or other contact attributes, plus evidence showing how the registration process meets applicable data-protection legislation. - Track registration officer independence, RA involvement, and any delegated evidence source so the CA can show who validated what and under which CPS process. Sources for this answer: - [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Supports the registration evidence requirements for identity records, document references, subscriber contact attributes, data-protection evidence, and registration officer independence. - [ETSI EN 319 401 V3.1.1 general policy requirements for TSPs](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Supports preserving identity-validation records as controlled trust-service evidence with maintained confidentiality, integrity, availability, and retention appropriate to the service. ## FAQ Pagination - Canonical index (page 1): [/artifacts/global/etsi-en-319-411-1/faq/items](/artifacts/global/etsi-en-319-411-1/faq/items.md) - Page 1 rule: `/page/1` is intentionally not generated; use the canonical index markdown URL. - Current page: 2 of 2 Pages: [1](/artifacts/global/etsi-en-319-411-1/faq/items.md) | [2](/artifacts/global/etsi-en-319-411-1/faq/items/page/2.md) [Previous page](/artifacts/global/etsi-en-319-411-1/faq/items.md) *Recommended next step* *Placement: after certificate-service guidance* ## Operationalize ETSI EN 319 411-1 certificate questions Use this FAQ as the starting point for CP/CPS review, certificate lifecycle evidence, subscriber disclosures, and audit-ready records. - [Open Assessment Autopilot for ETSI EN 319 411-1](/solutions/assessment.md): Convert certificate policy questions into accountable controls, evidence requests, and audit review tasks. - [Research ETSI EN 319 411-1 source questions](/solutions/research-copilot.md): Resolve CP, CPS, CA, RA, revocation, and status-service questions against cited ETSI source material. - [Talk through ETSI EN 319 411-1 implementation](/contact.md): Review certificate-service scope, evidence gaps, and the next CP/CPS actions with Sorena. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/global/etsi-en-319-411-1/faq/items/page/2