Artifact GuideGLOBALETSI EN 319 411-1

ETSI EN 319 411-1 How should certificate authorities handle suspension under ETSI EN 319 411-1

A focused answer for CA and TSP teams that support certificate suspension or need to explain why suspension is not part of a certificate policy.

Grounded in ETSI EN 319 411-1 certificate lifecycle, revocation, status-service, CPS, and records requirements.

Back to main artifactReview sources
Author
Sorena AI
Published
May 9, 2026
Updated
May 9, 2026
Questions
3

Structured answer sets in this page tree.

Primary sources
3

Cited legal and guidance references.

Publication metadata
Sorena AI
Published May 9, 2026
Updated May 9, 2026
Overview

Short answer: ETSI EN 319 411-1 does not let suspension be an informal help-desk state. If a CA supports suspension, its CPS and relying-party information should say whether and why certificates can be suspended, how requests are handled, how quickly status information becomes available, and what evidence proves the decision. If the CA does not support suspension for a policy, that exclusion should also be clear in the policy and service documentation.

Search this module

Find a question or answer quickly

3 of 3 questions
Question 1

What should a CA document before enabling suspension?

Treat suspension as part of the same controlled certificate-status process as revocation, while keeping the two outcomes distinct. A definitive revocation cannot be reinstated under EN 319 411-1; suspension is therefore useful only where the applicable certificate policy, CPS, customer terms, and status systems can represent a temporary invalid state without confusing relying parties.

The CPS and subscriber-facing terms should describe whether certificates can be suspended or revoked, the reasons and request channels, the mechanism used to distribute status information, and the maximum delays for making the changed status visible to relying parties. EN 319 411-1 sets a hard outer timing rule for revocation or suspension requests: the actual certificate status information must be available to all relying parties within at most 24 hours after receipt of the request.

  • Define the suspension model in the CPS: supported certificate policies, accepted requesters, permitted reasons, confirmation method, status-service method, and how suspension differs from final revocation.
  • Validate authorization before changing status, using the same discipline expected for revocation requests and reports.
  • Make the suspension status visible through the CA's revocation-status service, such as CRL or OCSP, within the documented delay and no later than the ETSI 24-hour maximum after request receipt.
  • Inform the subject and, where applicable, the subscriber of a suspended certificate when this is possible.
  • Do not describe a suspended certificate as valid during the suspension period; relying-party notices should direct users to current certificate-status information.
Citations
Question 2

What evidence should support a certificate suspension decision?

The evidence should show both the business decision and the status-system result. A reviewer should be able to see who requested suspension, how the CA confirmed the request, when the request arrived, what certificate and policy were affected, when the status changed, which CRL or OCSP channel carried the new status, and whether the subject or subscriber was notified.

EN 319 411-1 also expects status information to be available continuously, protected for integrity and authenticity, and available at least until certificate expiry. Where a CA supports both CRL and online certificate status service methods, updates should be available for all methods and the information should stay consistent over time.

  • Request record: requester identity, certificate serial number, certificate policy, reason, request time, intake channel, and authority to request suspension.
  • Validation record: checks performed, decision owner or trusted role, confirmation result, exception path if confirmation was delayed, and final decision.
  • Status evidence: CRL entry or OCSP response evidence, publication time, next update or response timing data, and proof that all supported status methods carried consistent information over time.
  • Notice evidence: subject or subscriber notice, delivery attempt, failure reason if notice was not possible, and customer-service or repository update where applicable.
  • Case evidence: status-change ticket, approval, publication proof, rollback or final-revocation outcome, and the CP/CPS clause that authorized the temporary state.
Citations
Recommended next step

Build a controlled EN 319 411-1 suspension evidence trail

Use this FAQ to align CPS wording, request validation, status publication, subscriber notice, and assessment records before suspension samples reach an assessor.

Assessment workflow
Turn the answer into controls

Convert the suspension process into accountable tasks, evidence requests, and review milestones.

Explore next step
Research workflow
Ask a scoped follow-up

Use cited research support when scope, source interpretation, or evidence ownership is unclear.

Explore next step
Talk to Sorena
Talk through implementation

Review suspension scope, evidence, owners, and the next compliance actions with Sorena.

Explore next step
Question 3

What should CAs check before offering suspension?

A CA should offer suspension only when the surrounding policy, repository, and status-service design can make the temporary state unambiguous. The risk is not just operational delay; it is that relying parties, subscribers, auditors, or customer contracts may treat a suspended certificate differently from the CA's status infrastructure.

Before enabling or continuing suspension, compare the certificate policy, CPS, subscriber agreement, relying-party notice, CRL profile, OCSP behavior, repository wording, and incident or compromise procedures. The documents and systems should tell the same story about when suspension is available, how long it can last, who can request it, and what happens next.

  • Policy fit: confirm whether the relevant certificate policy permits suspension and whether any separate scheme, customer, browser-program, or national rule changes the answer.
  • Status fit: verify that CRL and OCSP behavior can expose the suspended state reliably and consistently wherever the CA offers both methods.
  • Timing fit: test whether intake, validation, approval, publication, and monitoring can meet the 24-hour status availability rule.
  • Exit fit: define when a suspended certificate returns to active status, moves to final revocation, or expires, and keep this separate from the EN 319 411-1 rule that final revocation is not reinstated.
  • Assessment fit: keep suspension samples in the audit file with the CP/CPS clause, requirement reference, requester evidence, publication evidence, and notification evidence.
Citations
Regulation (EU) No 910/2014 (eIDAS)

Supports the qualified-certificate context in which EU Member States may set national rules for temporary suspension and require the suspension period and status to be visible when those national rules apply.

Primary sources

References and citations

ETSI EN 319 401 V3.1.1 general policy requirements for TSPs
etsi.org
Referenced sections
  • Supports the general TSP management-system context for controlled procedures, evidence, security management, and continuity behind certificate-status operations.
"General Policy Requirements for Trust Service Providers"
ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements
etsi.org
Referenced sections
  • Supports checking policy disclosure, status-service availability, CRL and OCSP consistency, certificate-status publication timing, subject or subscriber notification, and the distinction between suspension and definitive revocation.
"Once a certificate is definitively revoked"
Regulation (EU) No 910/2014 (eIDAS)
eur-lex.europa.eu
Referenced sections
  • Supports the qualified-certificate context in which EU Member States may set national rules for temporary suspension and require the suspension period and status to be visible when those national rules apply.
"temporary suspension of qualified certificates"
Related guides

Explore more topics

CP vs CPS under ETSI EN 319 411-1
Understand how ETSI EN 319 411-1 separates Certificate Policy from Certification Practice Statement work for certification authorities and trust service providers.
EN 319 411-1 vs EN 319 411-2 Certificate Policy
Compare ETSI EN 319 411-1 general certificate-service requirements with EN 319 411-2 EU qualified certificate requirements, including policy scope, CP/CPS evidence, and audit boundaries.
ETSI EN 319 411-1 Audit File Evidence
Build an ETSI EN 319 411-1 audit evidence file for CA logging, registration records, revocation records, CA key lifecycle evidence, and records archival.
ETSI EN 319 411-1 CA Key Management
CA key management guidance for ETSI EN 319 411-1: CPS commitments, key ceremonies, secure cryptographic devices, backup, recovery, and lifecycle evidence.
ETSI EN 319 411-1 certificate lifecycle workflow
Workflow for EN 319 411-1 certificate application, issuance, acceptance, renewal, re-key, modification, revocation, suspension, status services, and evidence records.
ETSI EN 319 411-1 certificate re-key FAQ
What ETSI EN 319 411-1 requires when a TSP re-keys an existing certificate with a new subject public key.
ETSI EN 319 411-1 Certification Audit Evidence FAQ
How CAs should prepare ETSI EN 319 411-1 audit evidence for CP/CPS scope, registration records, revocation records, CA key logs, and retained assessment files.
ETSI EN 319 411-1 Compliance Guide
Build an ETSI EN 319 411-1 compliance file for certificate policies, CPS commitments, certificate lifecycle controls, revocation services, CA keys, and audit evidence.
ETSI EN 319 411-1 CP and CPS template
Build a certificate policy and Certification Practice Statement template for ETSI EN 319 411-1 certificate services, with fields for policy identifiers, subscribers, relying parties, revocation, publication, and evidence.
ETSI EN 319 411-1 FAQ for Certificate Services
Answers to common ETSI EN 319 411-1 questions on certificate policies, CPS content, CA and RA boundaries, subscriber evidence, revocation, status services, and record retention.
ETSI EN 319 411-1 Identity Validation
Identity validation requirements in ETSI EN 319 411-1 for subscribers, subjects, RAs, certificate requests, registration evidence, and issuance records.
ETSI EN 319 411-1 Identity Validation Evidence Workflow
A workflow for building ETSI EN 319 411-1 identity validation evidence packs across subscriber, subject, certificate request, RA, logging, and retention controls.
ETSI EN 319 411-1 RA Delegation Guide
How to scope registration authority delegation under ETSI EN 319 411-1, including delegated RA tasks, external provider controls, registration records, and audit evidence.
ETSI EN 319 411-1 RA Delegation Review Workflow
Review delegated registration authority work under ETSI EN 319 411-1: retained CA responsibility, recognized registration service providers, secure data exchange, CPS coverage, and audit evidence.
ETSI EN 319 411-1 requirements map for certificate services
Map ETSI EN 319 411-1 requirements for certificate policies, CP/CPS content, registration, revocation, certificate status, and CA key-management evidence.
ETSI EN 319 411-1 Revocation Evidence Workflow
Build a revocation evidence workflow for ETSI EN 319 411-1 covering CPS procedures, request authentication, 24-hour status updates, CRL/OCSP publication, logs, and retention.
ETSI EN 319 411-1 Revocation, OCSP, and CRL Operations
Operate ETSI EN 319 411-1 revocation status services with CPS procedures, authenticated requests, 24-hour CRL or OCSP publication controls, and audit evidence.
ETSI EN 319 411-1 vs CA/B Forum Baseline Requirements
Compare how EN 319 411-1 incorporates CA/B Forum BRG concepts for DVCP, OVCP, IVCP, [WEB] requirements, CPS disclosure, domain validation, and conflict handling.
How should certificate authorities handle revocation evidence under ETSI EN 319 411-1?
What ETSI EN 319 411-1 expects CAs to evidence for certificate revocation requests, status publication, CRL or OCSP updates, and archived revocation records.
RA delegation under ETSI EN 319 411-1
How certificate authorities can delegate registration authority work under ETSI EN 319 411-1 while keeping identity validation, secure data exchange, role controls, and audit evidence traceable.
Subscriber agreements under ETSI EN 319 411-1
How ETSI EN 319 411-1 expects CAs and TSPs to inform subscribers, record acceptance, handle subject consent, and retain subscriber-agreement evidence.
Subscriber identity validation under ETSI EN 319 411-1
How certificate authorities should validate subscriber and subject identity under ETSI EN 319 411-1, including evidence, authorization, subject categories, and registration records.