Artifact FAQGLOBALETSI EN 319 411-1

ETSI EN 319 411-1 Subscriber agreements

A focused answer on what certificate authorities and trust service providers need to put in place before a certificate subscriber accepts terms.

Grounded in ETSI EN 319 411-1 and ETSI EN 319 401 source material. Use it as implementation guidance, not for legal interpretation.

Back to main artifactReview sources
Author
Sorena AI
Published
May 9, 2026
Updated
May 9, 2026
Questions
3

Structured answer sets in this page tree.

Primary sources
3

Cited legal and guidance references.

Publication metadata
Sorena AI
Published May 9, 2026
Updated May 9, 2026
Overview

Under ETSI EN 319 411-1, subscriber agreements are not just commercial paperwork. Before the subscriber enters the relationship, the TSP must communicate the certificate terms and conditions in a durable, human-readable way, record the agreement, and keep evidence that the subscriber accepted those terms by a traceable, wilful act.

Search this module

Find a question or answer quickly

3 of 3 questions
Question 1

What does ETSI EN 319 411-1 require before a subscriber agreement?

The CA or TSP should start with the terms and conditions that explain certificate use, acceptance, obligations, and limitations. ETSI EN 319 411-1 clause 6.3.4 requires the subscriber to be informed of those terms before the contractual relationship is formed.

The agreement process also needs to be usable as evidence later. The terms must be communicated through a durable means, in human-readable form, before the agreement. Electronic transmission is allowed, but the record must still show what version was presented and how acceptance occurred.

  • Identify the certificate policy, CPS, terms and conditions, and any PKI disclosure statement that govern the subscriber relationship.
  • Present the applicable terms before the subscriber enters the contractual relationship or accepts the certificate.
  • Use a durable communication method that preserves the terms with integrity over time and is readable by the subscriber.
  • Define what constitutes certificate acceptance in the terms and conditions, rather than leaving acceptance implied by operational workflow.
Citations
Recommended next step

Map ETSI EN 319 411-1 agreement evidence to your CA workflow

Use this FAQ to check that subscriber onboarding, subject consent, certificate acceptance, publication choices, and retention records are captured in the same evidence trail.

Assessment workflow
Assess certificate controls

Review subscriber-agreement controls against CP, CPS, registration, and archival evidence.

Explore next step
Research workflow
Research a scoped clause question

Resolve subscriber, subject, publication, or retention questions against cited ETSI source text.

Explore next step
Talk to Sorena
Talk through implementation

Review CA onboarding evidence, agreement acceptance records, and the next control updates with Sorena.

Explore next step
Question 2

How should the agreement handle subscribers and subjects?

ETSI EN 319 411-1 distinguishes the subscriber from the certificate subject. If the subscriber and subject are separate entities and the subject is a natural or legal person, the agreement is expected to be in two parts: one ratified by the subscriber and one ratified by the subject.

That distinction matters for enterprise and delegated-certificate scenarios. The subscriber part should capture subscriber obligations, any secure-device requirement, consent to registration and revocation records, publication choices, and confirmation that certificate information is correct. The subject part should capture the subject obligations, secure-device acceptance where relevant, and consent to the records kept by the TSP.

  • Use a two-part agreement when the subscriber and subject are separate and the subject is a natural or legal person.
  • Use a traceable action such as signing or checking an acceptance box for each required ratification.
  • When the subscriber and subject are the same entity, or the subject is a device, include the subscriber and subject items in one or two agreement parts.
  • Allow staged acceptance only where the record still shows each accepted element, such as later confirmation that certificate information is correct.
Citations
Question 3

What evidence should a CA retain for subscriber agreements?

The evidence should prove the exact agreement, the terms accepted, the person or entity accepting, and the specific choices made during registration. ETSI EN 319 411-1 requires the agreement with the subscriber to be recorded, and, where the subscriber and subject are separate, the subject agreement to be recorded as well.

Records should also connect the agreement to the registration file. ETSI EN 319 411-1 lists the storage location of applications and identification documents, including the subscriber agreement, plus specific choices in the agreement such as consent to certificate publication.

  • Retain the signed or electronically accepted subscriber agreement and the version of terms and conditions presented at acceptance.
  • Keep evidence of the wilful act used for acceptance, such as signature data, acceptance timestamp, account identity, or equivalent trace record.
  • Record publication consent, secure-cryptographic-device acceptance, certificate-information confirmation, and any other agreement choices that affect issuance or relying-party information.
  • Retain the agreement records for the period indicated to the subscriber as part of the terms and conditions.
Citations
Primary sources

References and citations

ETSI EN 319 401 V3.1.1 general policy requirements for TSPs
etsi.org
Referenced sections
  • Clause 6.2 supports the general TSP requirement to inform subscribers and relying parties of precise terms before a contractual relationship.
"Subscribers and parties relying on the trust service shall be informed"
Related guides

Explore more topics

CP vs CPS under ETSI EN 319 411-1
Understand how ETSI EN 319 411-1 separates Certificate Policy from Certification Practice Statement work for certification authorities and trust service providers.
EN 319 411-1 vs EN 319 411-2 Certificate Policy
Compare ETSI EN 319 411-1 general certificate-service requirements with EN 319 411-2 EU qualified certificate requirements, including policy scope, CP/CPS evidence, and audit boundaries.
ETSI EN 319 411-1 Audit File Evidence
Build an ETSI EN 319 411-1 audit evidence file for CA logging, registration records, revocation records, CA key lifecycle evidence, and records archival.
ETSI EN 319 411-1 CA Key Management
CA key management guidance for ETSI EN 319 411-1: CPS commitments, key ceremonies, secure cryptographic devices, backup, recovery, and lifecycle evidence.
ETSI EN 319 411-1 certificate lifecycle workflow
Workflow for EN 319 411-1 certificate application, issuance, acceptance, renewal, re-key, modification, revocation, suspension, status services, and evidence records.
ETSI EN 319 411-1 certificate re-key FAQ
What ETSI EN 319 411-1 requires when a TSP re-keys an existing certificate with a new subject public key.
ETSI EN 319 411-1 Certificate Suspension FAQ
How CAs should handle certificate suspension under ETSI EN 319 411-1: CPS disclosure, validated requests, status publication, subscriber notice, and audit evidence.
ETSI EN 319 411-1 Certification Audit Evidence FAQ
How CAs should prepare ETSI EN 319 411-1 audit evidence for CP/CPS scope, registration records, revocation records, CA key logs, and retained assessment files.
ETSI EN 319 411-1 Compliance Guide
Build an ETSI EN 319 411-1 compliance file for certificate policies, CPS commitments, certificate lifecycle controls, revocation services, CA keys, and audit evidence.
ETSI EN 319 411-1 CP and CPS template
Build a certificate policy and Certification Practice Statement template for ETSI EN 319 411-1 certificate services, with fields for policy identifiers, subscribers, relying parties, revocation, publication, and evidence.
ETSI EN 319 411-1 FAQ for Certificate Services
Answers to common ETSI EN 319 411-1 questions on certificate policies, CPS content, CA and RA boundaries, subscriber evidence, revocation, status services, and record retention.
ETSI EN 319 411-1 Identity Validation
Identity validation requirements in ETSI EN 319 411-1 for subscribers, subjects, RAs, certificate requests, registration evidence, and issuance records.
ETSI EN 319 411-1 Identity Validation Evidence Workflow
A workflow for building ETSI EN 319 411-1 identity validation evidence packs across subscriber, subject, certificate request, RA, logging, and retention controls.
ETSI EN 319 411-1 RA Delegation Guide
How to scope registration authority delegation under ETSI EN 319 411-1, including delegated RA tasks, external provider controls, registration records, and audit evidence.
ETSI EN 319 411-1 RA Delegation Review Workflow
Review delegated registration authority work under ETSI EN 319 411-1: retained CA responsibility, recognized registration service providers, secure data exchange, CPS coverage, and audit evidence.
ETSI EN 319 411-1 requirements map for certificate services
Map ETSI EN 319 411-1 requirements for certificate policies, CP/CPS content, registration, revocation, certificate status, and CA key-management evidence.
ETSI EN 319 411-1 Revocation Evidence Workflow
Build a revocation evidence workflow for ETSI EN 319 411-1 covering CPS procedures, request authentication, 24-hour status updates, CRL/OCSP publication, logs, and retention.
ETSI EN 319 411-1 Revocation, OCSP, and CRL Operations
Operate ETSI EN 319 411-1 revocation status services with CPS procedures, authenticated requests, 24-hour CRL or OCSP publication controls, and audit evidence.
ETSI EN 319 411-1 vs CA/B Forum Baseline Requirements
Compare how EN 319 411-1 incorporates CA/B Forum BRG concepts for DVCP, OVCP, IVCP, [WEB] requirements, CPS disclosure, domain validation, and conflict handling.
How should certificate authorities handle revocation evidence under ETSI EN 319 411-1?
What ETSI EN 319 411-1 expects CAs to evidence for certificate revocation requests, status publication, CRL or OCSP updates, and archived revocation records.
RA delegation under ETSI EN 319 411-1
How certificate authorities can delegate registration authority work under ETSI EN 319 411-1 while keeping identity validation, secure data exchange, role controls, and audit evidence traceable.
Subscriber identity validation under ETSI EN 319 411-1
How certificate authorities should validate subscriber and subject identity under ETSI EN 319 411-1, including evidence, authorization, subject categories, and registration records.