Search every question across sub-FAQs

Use the checklist to prevent the common error of treating all certificates, all certificate policies, or all QTSP services as interchangeable. The useful review is certificate-policy specific and should be repeated when the certificate profile, CPS, QSCD route, website certificate route, trusted-list status, or relevant ETSI/eIDAS source changes.

ETSI EN 319 411-2 defines seven EU qualified certificate policies. QCP-n covers EU qualified certificates issued to natural persons, and QCP-l covers EU qualified certificates issued to legal persons. QCP-n-qscd and QCP-l-qscd are the corresponding policies when the private key related to the certified public key must reside in a qualified signature or seal creation device.

For qualified website authentication certificates, QEVCP-w is based on EVCP, QNCP-w is based on NCP plus OVCP or IVCP, and QNCP-w-gen is based on NCP plus requirements tagged as WEB in ETSI EN 319 411-1. The selected policy should be visible in the CP/CPS, terms and conditions, certificate profile, and policy identifier evidence.

Start with the certificate purpose and subject. Natural-person signature certificates point to QCP-n or QCP-n-qscd. Legal-person seal certificates point to QCP-l or QCP-l-qscd. Website authentication certificates point to QEVCP-w, QNCP-w, or QNCP-w-gen depending on the validation route and applicable CA/Browser Forum baseline or extended-validation requirements.

Then check the device and baseline inheritance. EN 319 411-2 states that QCP-n and QCP-l use NCP unless the TSP terms and conditions require a secure cryptographic device, in which case NCP+ applies. The QSCD-specific policies include the corresponding QCP policy plus QSCD provisions. Website routes inherit EVCP, NCP, OVCP or IVCP, and WEB-tagged requirements as applicable.

The evidence should prove that the selected policy identifier matches the certificate type and the service actually operated. Keep the CP/CPS section that names the policy, the certificate profile showing the policy OID, the terms and conditions that determine secure-device use, and issuance or audit evidence showing whether the service follows the inherited EN 319 411-1 requirements.

Do not treat Annex A as a legal conformance certificate. EN 319 411-2 says the annex maps policy references to eIDAS requirements, but also warns that the annex is not a definitive statement of conformance to eIDAS and that non-technical legal requirements are outside the standard's scope.

ETSI EN 319 411-2 defines three EU qualified website authentication certificate policy profiles: QEVCP-w, QNCP-w, and QNCP-w-gen. The profile choice is not cosmetic because the selected policy determines which EN 319 411-1 baseline, CA/Browser Forum dependency, and qualified-certificate additions must be reflected in the CP, CPS, certificate profile, and evidence pack.

Choose QEVCP-w when the qualified website certificate is issued to a legal person and follows the Extended Validation Certificate Policy route. Choose QNCP-w when the route is based on NCP plus either OVCP or IVCP. Choose QNCP-w-gen when the service is a general-purpose qualified website authentication certificate route based on NCP plus selected web-authentication requirements in EN 319 411-1.

For QEVCP-w, QNCP-w, and QNCP-w-gen, EN 319 411-2 ties initial validation to the subscriber type and the domain name. If the subscriber is a natural person, verify the subscriber identity and link with the domain name using the QCP-n route. If the subscriber is a legal person, verify the legal-person identity, authorized-representative route, and link with the domain name using the QCP-l route.

That means the evidence pack should not stop at a domain-control check. It should also show the selected QWAC policy identifier, the subscriber type, the identity route, the domain-name link, the applicable CA/Browser Forum or web-authentication dependency, and how those records are reflected in the CP, CPS, subscriber agreement, certificate contents, and repository publication.

Review the QWAC profile whenever the QTSP changes its CP/CPS, certificate profile, subscriber validation workflow, CA/RA responsibility split, repository publication process, or CA/Browser Forum dependency. The review should confirm that the public certificate policy OID and the evidence trail still describe the same qualified website authentication route.

The most useful audit file is a profile matrix: one row for each QWAC profile offered, with the policy identifier, subscriber type, EN 319 411-1 dependency, CA/Browser Forum or web-authentication dependency, identity-validation route, domain-link evidence, certificate-profile checks, and repository/status-service evidence.