FAQGLOBALETSI EN 319 411-1

ETSI EN 319 411-1 Certificate re-key FAQ

A focused answer for TSP, CA, RA, and audit teams handling certificate re-key under ETSI EN 319 411-1.

Grounded in ETSI EN 319 411-1 V1.5.1 and the related ETSI EN 319 401 general TSP requirements.

Back to main artifactReview sources
Author
Sorena AI
Published
May 9, 2026
Updated
May 9, 2026
Questions
3

Structured answer sets in this page tree.

Primary sources
2

Cited legal and guidance references.

Publication metadata
Sorena AI
Published May 9, 2026
Updated May 9, 2026
Overview

Under ETSI EN 319 411-1, certificate re-key is not the same as renewal. Re-key means issuing a new certificate for an already issued subject with a new subject public key; the certificate may also update subject attributes or the expiry date when the CP/CPS allows it.

Search this module

Find a question or answer quickly

3 of 3 questions
Question 1

How should certificate authorities handle re-key under ETSI EN 319 411-1?

Treat re-key as a certificate lifecycle event that starts with a new subject public key. ETSI EN 319 411-1 clause 6.3.7 says the general certificate application and application-processing requirements in clauses 6.3.1 and 6.3.2 still apply, so the request must remain linked to registration, authorization, identity or attribute evidence, and the public key being certified.

The CP/CPS should be the operating boundary. It needs to state whether, and under which circumstances, the TSP allows certificate re-key to change the expiry date or certified attributes. If the previous certificate is used to authenticate the re-key request, the TSP checks that the previous certificate exists and is valid.

  • Confirm the event is re-key, not renewal: the subject public key changes.
  • Apply the certificate application and processing controls from clauses 6.3.1 and 6.3.2 to the re-key request.
  • Verify and record changed certified names or attributes before including them in the replacement certificate.
  • Check the existing certificate when it is used to authenticate the request.
  • Communicate and obtain agreement to changed terms and conditions before completing the re-key.
Citations
Question 2

What evidence should support certificate re-key?

The evidence should prove why the re-key was allowed and how the new certificate was bound to the right subject. At minimum, keep the re-key request, request authentication result, registration or attribute evidence reused or refreshed, subscriber authorization where the subscriber and subject differ, and the CP/CPS rule that permits any expiry-date or attribute change.

ETSI EN 319 411-1 also makes logging specific: registration events include requests for certificate re-key or renewal. Records archival then requires retention of relevant lifecycle logs and certificate documentation for at least seven years after any certificate based on those records ceases to be valid.

  • Request record showing the subject, subscriber, requested public key, certificate profile, and reason for re-key.
  • Proof of possession or control for a non-CA-generated subject private key where clause 6.3.1 requires it.
  • Validation record for any changed certified name, organization, device, system, or other subject attribute.
  • Evidence that changed TSP terms and conditions were communicated and agreed to when applicable.
  • Audit logs for registration, certificate generation, certificate dissemination, and any related revocation decision.
Citations
Recommended next step

Operationalize certificate re-key controls

Map the re-key trigger, CP/CPS rule, subscriber evidence, certificate lifecycle logs, and revocation or key-changeover records into accountable control work.

Assessment workflow
Assess certificate re-key evidence

Turn ETSI EN 319 411-1 re-key requirements into control owners, artifacts, and review checkpoints.

Explore next step
Research workflow
Research a re-key edge case

Use cited support when re-key overlaps with revocation, attribute changes, or CA key changeover.

Explore next step
Talk to Sorena
Talk through ETSI EN 319 411-1 re-key implementation

Review CP/CPS wording, evidence gaps, and certificate lifecycle controls with Sorena.

Explore next step
Question 3

When should re-key trigger revocation, notification, or CA key-change work?

A subject-certificate re-key can happen before expiry, after expiry, or after revocation. When the re-key is driven by compromise or a security breach, handle the revocation path separately from the replacement-certificate path: revocation requests and reports must be authenticated, processed on receipt, and reflected in status information within the maximum delay required by the CPS and ETSI EN 319 411-1.

Do not confuse subject-certificate re-key with CA key changeover. For CA certificate-signing keys, ETSI EN 319 411-1 has separate requirements to generate and distribute a new CA certificate before expiry when the service continues, allow affected parties enough interval to prepare, and document the CA key-pair generation procedure and ceremony evidence.

  • If the old certificate was revoked for key compromise, keep the revocation request, authentication, decision, status-publication evidence, and subscriber or subject notification record.
  • If cryptography or associated parameters become insufficient for remaining use, inform subscribers and relying parties with whom the TSP has relationships and make the information available to other relying parties.
  • For CA key changeover, keep the documented ceremony procedure, participating roles, responsibilities, collected evidence, and ceremony report.
  • For subject keys generated by the CA, preserve evidence that delivery protected secrecy and integrity and that copies were deleted after delivery except where escrow or recovery rules apply.
Citations
Primary sources

References and citations

Related guides

Explore more topics

CP vs CPS under ETSI EN 319 411-1
Understand how ETSI EN 319 411-1 separates Certificate Policy from Certification Practice Statement work for certification authorities and trust service providers.
EN 319 411-1 vs EN 319 411-2 Certificate Policy
Compare ETSI EN 319 411-1 general certificate-service requirements with EN 319 411-2 EU qualified certificate requirements, including policy scope, CP/CPS evidence, and audit boundaries.
ETSI EN 319 411-1 Audit File Evidence
Build an ETSI EN 319 411-1 audit evidence file for CA logging, registration records, revocation records, CA key lifecycle evidence, and records archival.
ETSI EN 319 411-1 CA Key Management
CA key management guidance for ETSI EN 319 411-1: CPS commitments, key ceremonies, secure cryptographic devices, backup, recovery, and lifecycle evidence.
ETSI EN 319 411-1 certificate lifecycle workflow
Workflow for EN 319 411-1 certificate application, issuance, acceptance, renewal, re-key, modification, revocation, suspension, status services, and evidence records.
ETSI EN 319 411-1 Certificate Suspension FAQ
How CAs should handle certificate suspension under ETSI EN 319 411-1: CPS disclosure, validated requests, status publication, subscriber notice, and audit evidence.
ETSI EN 319 411-1 Certification Audit Evidence FAQ
How CAs should prepare ETSI EN 319 411-1 audit evidence for CP/CPS scope, registration records, revocation records, CA key logs, and retained assessment files.
ETSI EN 319 411-1 Compliance Guide
Build an ETSI EN 319 411-1 compliance file for certificate policies, CPS commitments, certificate lifecycle controls, revocation services, CA keys, and audit evidence.
ETSI EN 319 411-1 CP and CPS template
Build a certificate policy and Certification Practice Statement template for ETSI EN 319 411-1 certificate services, with fields for policy identifiers, subscribers, relying parties, revocation, publication, and evidence.
ETSI EN 319 411-1 FAQ for Certificate Services
Answers to common ETSI EN 319 411-1 questions on certificate policies, CPS content, CA and RA boundaries, subscriber evidence, revocation, status services, and record retention.
ETSI EN 319 411-1 Identity Validation
Identity validation requirements in ETSI EN 319 411-1 for subscribers, subjects, RAs, certificate requests, registration evidence, and issuance records.
ETSI EN 319 411-1 Identity Validation Evidence Workflow
A workflow for building ETSI EN 319 411-1 identity validation evidence packs across subscriber, subject, certificate request, RA, logging, and retention controls.
ETSI EN 319 411-1 RA Delegation Guide
How to scope registration authority delegation under ETSI EN 319 411-1, including delegated RA tasks, external provider controls, registration records, and audit evidence.
ETSI EN 319 411-1 RA Delegation Review Workflow
Review delegated registration authority work under ETSI EN 319 411-1: retained CA responsibility, recognized registration service providers, secure data exchange, CPS coverage, and audit evidence.
ETSI EN 319 411-1 requirements map for certificate services
Map ETSI EN 319 411-1 requirements for certificate policies, CP/CPS content, registration, revocation, certificate status, and CA key-management evidence.
ETSI EN 319 411-1 Revocation Evidence Workflow
Build a revocation evidence workflow for ETSI EN 319 411-1 covering CPS procedures, request authentication, 24-hour status updates, CRL/OCSP publication, logs, and retention.
ETSI EN 319 411-1 Revocation, OCSP, and CRL Operations
Operate ETSI EN 319 411-1 revocation status services with CPS procedures, authenticated requests, 24-hour CRL or OCSP publication controls, and audit evidence.
ETSI EN 319 411-1 vs CA/B Forum Baseline Requirements
Compare how EN 319 411-1 incorporates CA/B Forum BRG concepts for DVCP, OVCP, IVCP, [WEB] requirements, CPS disclosure, domain validation, and conflict handling.
How should certificate authorities handle revocation evidence under ETSI EN 319 411-1?
What ETSI EN 319 411-1 expects CAs to evidence for certificate revocation requests, status publication, CRL or OCSP updates, and archived revocation records.
RA delegation under ETSI EN 319 411-1
How certificate authorities can delegate registration authority work under ETSI EN 319 411-1 while keeping identity validation, secure data exchange, role controls, and audit evidence traceable.
Subscriber agreements under ETSI EN 319 411-1
How ETSI EN 319 411-1 expects CAs and TSPs to inform subscribers, record acceptance, handle subject consent, and retain subscriber-agreement evidence.
Subscriber identity validation under ETSI EN 319 411-1
How certificate authorities should validate subscriber and subject identity under ETSI EN 319 411-1, including evidence, authorization, subject categories, and registration records.