FAQGLOBALETSI EN 319 411-1

ETSI EN 319 411-1 RA delegation for certificate authorities

A focused answer for certificate authorities and trust service providers using internal or external registration authority functions.

Grounded in ETSI EN 319 411-1 and ETSI EN 319 401 source text. Use it as implementation guidance, not for legal interpretation.

Back to main artifactReview sources
Author
Sorena AI
Published
May 9, 2026
Updated
May 9, 2026
Questions
3

Structured answer sets in this page tree.

Primary sources
2

Cited legal and guidance references.

Publication metadata
Sorena AI
Published May 9, 2026
Updated May 9, 2026
Overview

Under ETSI EN 319 411-1, a certificate authority can use registration authority support, including external registration service providers, but the TSP still needs traceable identity-validation evidence, secure exchange of registration data, trusted-role controls, and records that identify the receiving TSP or submitting RA where applicable.

Search this module

Find a question or answer quickly

3 of 3 questions
Question 1

Can a certificate authority delegate RA work under ETSI EN 319 411-1?

Yes, but delegation does not turn registration into an unmanaged hand-off. ETSI EN 319 411-1 defines a Registration Authority as the entity responsible mainly for identifying and authenticating certificate subjects, and notes that an RA can assist with certificate applications, revocation, or both.

For initial identity validation, the TSP must verify the subscriber and subject, collect and validate direct evidence or an attestation from an appropriate and authorized source, and check that certificate requests are accurate, authorized, and complete. The standard also allows evidence of identity to be provided by a subcontracted person, provided that the identity check was performed in line with the clause 6.2.2 requirements.

  • Define which RA tasks are delegated: identity proofing, certificate application intake, revocation request handling, or registration-data submission.
  • Keep the TSP accountable for the certificate policy and CPS controls even when the registration work is performed by another party.
  • Do not accept delegated registration evidence unless it supports the subject, subscriber, authorization, and certificate profile requirements that apply to the certificate being issued.
Citations
Question 2

What controls should cover an external RA?

External registration authorities should be treated as controlled trust-service participants, not just intake vendors. ETSI EN 319 411-1 requires registration data from external registration service providers to be exchanged securely and only with recognized providers whose identity is authenticated.

The same clause points external RAs back to general TSP security requirements, including human resources, operational security, networks, and privacy. ETSI EN 319 401 adds that third-party arrangements need documented agreements and clear obligations for the relevant information security requirements.

  • Maintain a current list of recognized external registration service providers and the authentication method used for each provider.
  • Document the contract or agreement terms that bind the RA to identity proofing, registration-data protection, incident reporting, personnel, and termination obligations.
  • Require registration and revocation officers, and other trusted roles involved in RA work, to be appointed, trained, screened where applicable, and separated from prohibited self-validation scenarios.
Citations
Recommended next step

Map RA delegation to ETSI EN 319 411-1 evidence

Use this FAQ to align CP/CPS wording, RA agreements, registration records, and audit evidence before relying on delegated registration work.

Assessment workflow
Review RA controls

Convert delegated registration work into control owners, evidence requests, and audit-ready checkpoints.

Explore next step
Research workflow
Resolve source questions

Check ambiguous RA scope, CP/CPS wording, or registration evidence against cited ETSI requirements.

Explore next step
Talk to Sorena
Talk through implementation

Review delegated RA scope, provider agreements, registration records, and termination evidence with Sorena.

Explore next step
Question 3

What evidence should auditors expect for RA delegation?

The audit file should make the delegated registration chain reconstructable. ETSI EN 319 411-1 requires registration information to be logged and recorded, including document types, unique identification data or references where applicable, storage locations, subscriber-agreement choices, the identity of the entity accepting the application, validation method, and the receiving TSP or submitting RA when applicable.

RA delegation evidence should also cover retention and exit handling. EN 319 411-1 requires specified records to be retained for at least seven years after any certificate based on those records ceases to be valid, and its RA termination clause calls out registration information, revocation status information, and event log archives.

  • Keep the RA delegation register, provider agreement, provider authentication evidence, CP/CPS mapping, and list of delegated registration tasks together.
  • Retain sample registration records that show the identity evidence or attestation source, the validation method, the application-acceptance entity, and any submitting RA.
  • Document how registration records, revocation-related records, and event log archives remain accessible if an RA relationship ends or the CA/RA service terminates.
Citations
Primary sources

References and citations

ETSI EN 319 401 V3.1.1 general policy requirements for TSPs
etsi.org
Referenced sections
  • Supports retaining supplier-relationship evidence because the TSP remains responsible for conformance when third parties provide parts of the service.
"subcontracting, outsourcing or other third party arrangements"
Related guides

Explore more topics

CP vs CPS under ETSI EN 319 411-1
Understand how ETSI EN 319 411-1 separates Certificate Policy from Certification Practice Statement work for certification authorities and trust service providers.
EN 319 411-1 vs EN 319 411-2 Certificate Policy
Compare ETSI EN 319 411-1 general certificate-service requirements with EN 319 411-2 EU qualified certificate requirements, including policy scope, CP/CPS evidence, and audit boundaries.
ETSI EN 319 411-1 Audit File Evidence
Build an ETSI EN 319 411-1 audit evidence file for CA logging, registration records, revocation records, CA key lifecycle evidence, and records archival.
ETSI EN 319 411-1 CA Key Management
CA key management guidance for ETSI EN 319 411-1: CPS commitments, key ceremonies, secure cryptographic devices, backup, recovery, and lifecycle evidence.
ETSI EN 319 411-1 certificate lifecycle workflow
Workflow for EN 319 411-1 certificate application, issuance, acceptance, renewal, re-key, modification, revocation, suspension, status services, and evidence records.
ETSI EN 319 411-1 certificate re-key FAQ
What ETSI EN 319 411-1 requires when a TSP re-keys an existing certificate with a new subject public key.
ETSI EN 319 411-1 Certificate Suspension FAQ
How CAs should handle certificate suspension under ETSI EN 319 411-1: CPS disclosure, validated requests, status publication, subscriber notice, and audit evidence.
ETSI EN 319 411-1 Certification Audit Evidence FAQ
How CAs should prepare ETSI EN 319 411-1 audit evidence for CP/CPS scope, registration records, revocation records, CA key logs, and retained assessment files.
ETSI EN 319 411-1 Compliance Guide
Build an ETSI EN 319 411-1 compliance file for certificate policies, CPS commitments, certificate lifecycle controls, revocation services, CA keys, and audit evidence.
ETSI EN 319 411-1 CP and CPS template
Build a certificate policy and Certification Practice Statement template for ETSI EN 319 411-1 certificate services, with fields for policy identifiers, subscribers, relying parties, revocation, publication, and evidence.
ETSI EN 319 411-1 FAQ for Certificate Services
Answers to common ETSI EN 319 411-1 questions on certificate policies, CPS content, CA and RA boundaries, subscriber evidence, revocation, status services, and record retention.
ETSI EN 319 411-1 Identity Validation
Identity validation requirements in ETSI EN 319 411-1 for subscribers, subjects, RAs, certificate requests, registration evidence, and issuance records.
ETSI EN 319 411-1 Identity Validation Evidence Workflow
A workflow for building ETSI EN 319 411-1 identity validation evidence packs across subscriber, subject, certificate request, RA, logging, and retention controls.
ETSI EN 319 411-1 RA Delegation Guide
How to scope registration authority delegation under ETSI EN 319 411-1, including delegated RA tasks, external provider controls, registration records, and audit evidence.
ETSI EN 319 411-1 RA Delegation Review Workflow
Review delegated registration authority work under ETSI EN 319 411-1: retained CA responsibility, recognized registration service providers, secure data exchange, CPS coverage, and audit evidence.
ETSI EN 319 411-1 requirements map for certificate services
Map ETSI EN 319 411-1 requirements for certificate policies, CP/CPS content, registration, revocation, certificate status, and CA key-management evidence.
ETSI EN 319 411-1 Revocation Evidence Workflow
Build a revocation evidence workflow for ETSI EN 319 411-1 covering CPS procedures, request authentication, 24-hour status updates, CRL/OCSP publication, logs, and retention.
ETSI EN 319 411-1 Revocation, OCSP, and CRL Operations
Operate ETSI EN 319 411-1 revocation status services with CPS procedures, authenticated requests, 24-hour CRL or OCSP publication controls, and audit evidence.
ETSI EN 319 411-1 vs CA/B Forum Baseline Requirements
Compare how EN 319 411-1 incorporates CA/B Forum BRG concepts for DVCP, OVCP, IVCP, [WEB] requirements, CPS disclosure, domain validation, and conflict handling.
How should certificate authorities handle revocation evidence under ETSI EN 319 411-1?
What ETSI EN 319 411-1 expects CAs to evidence for certificate revocation requests, status publication, CRL or OCSP updates, and archived revocation records.
Subscriber agreements under ETSI EN 319 411-1
How ETSI EN 319 411-1 expects CAs and TSPs to inform subscribers, record acceptance, handle subject consent, and retain subscriber-agreement evidence.
Subscriber identity validation under ETSI EN 319 411-1
How certificate authorities should validate subscriber and subject identity under ETSI EN 319 411-1, including evidence, authorization, subject categories, and registration records.