ETSI EN 319 411-2 FAQ for EU qualified certificates

ETSI EN 319 411-2 covers policy and security requirements for trust service providers issuing EU qualified certificates. It addresses issuance, maintenance, and lifecycle management for qualified certificates issued to natural persons, legal persons, and website authentication services under the eIDAS framework.

The standard is not a standalone operating manual. It incorporates the general certificate-provider requirements in ETSI EN 319 411-1 and the broader trust-service policy requirements in ETSI EN 319 401, then adds requirements for qualified certificate services.

No. EN 319 411-2 is an ETSI requirements standard for qualified certificate services, but the standard itself states that conformance to it alone does not imply that the TSP or the certificates it issues are qualified under Regulation (EU) No 910/2014.

For public claims, separate the standards evidence from the regulatory status evidence. A reviewer should be able to see the applicable certificate policy profile, the conformity assessment context, the supervisory or trusted-list status, and the certificate-service boundary that the claim depends on.

Select the profile by the certificate subject and the intended qualified use. QCP-n is for EU qualified certificates issued to natural persons, QCP-l is for legal persons, QCP-n-qscd and QCP-l-qscd add the requirement that the private key and certificate reside on a QSCD, and QEVCP-w, QNCP-w, and QNCP-w-gen address EU qualified website authentication certificates.

The profile choice affects the policy identifier in the certificate, the CP and CPS text, identity proofing route, device evidence, subscriber obligations, and relying-party disclosures. Treat profile selection as a certificate-service design decision, not as a label added at the end.

For QCP-n and QCP-n-qscd, the natural person's identity and any specific attributes are verified either by physical presence or by methods that provide equivalent assurance and can be proven by the TSP. For QCP-l and QCP-l-qscd, the legal person's identity is verified through the physical presence of an authorized representative or an equivalent-assurance route.

For qualified website authentication profiles, EN 319 411-2 links the identity check to whether the subscriber is a natural person or legal person and also requires verification of the subscriber's link with the domain name to be certified.

QSCD evidence matters when the selected profile is QCP-n-qscd or QCP-l-qscd, or when a public claim depends on the private key and related certificate residing on a qualified signature or seal creation device. EN 319 411-2 requires the TSP to verify that the device is certified as a QSCD and that the certificate request process ensures the public key comes from a key pair generated by a QSCD.

The standard also addresses cases where a third-party TSP manages the device, movement of a subject's private key between devices, and changes in QSCD certification status before certificate expiry.

EN 319 411-2 requires the notice to relying parties to explain that, for a certificate to be relied on as an EU qualified certificate, the trust anchor for validation is identified in a service digital identifier of an appropriate EU trusted-list entry for a QTSP.

That means relying-party instructions should not stop at certificate-chain validation. They should also explain how the relying party confirms qualified status through the relevant trusted-list entry and the applicable validation procedure.

EN 319 411-2 requires revocation status information to be made available beyond the certificate validity period through at least one method used during the certificate validity period, such as CRL or OCSP, except where the standard allows treatment of validity-assured short-term certificates.

The TSP's practice statements and terms and conditions need to explain how the status-service requirements are met, including the period of availability, how status is provided after CA key compromise, and how status is provided if the TSP terminates.

The evidence set should connect each qualified certificate to the selected policy profile, identity validation route, certificate application and issuance record, subscriber agreement, certificate profile and policy identifiers, revocation history, status-service behavior, and any QSCD or trusted-list evidence relevant to the claim.

For an audit or readiness review, the most useful record is not a broad compliance assertion. It is a traceable chain from policy profile to CPS control, operational record, certificate data, status-service output, and relying-party disclosure.