--- title: "How should QTSPs select an ETSI EN 319 411-2 qualified certificate profile?" canonical_url: "https://www.sorena.io/artifacts/global/etsi-en-319-411-2/faq/qualified-profile-selection" source_url: "https://www.sorena.io/artifacts/global/etsi-en-319-411-2/faq/qualified-profile-selection" author: "Sorena AI" description: "A focused FAQ on choosing QCP-n, QCP-l, QCP-n-qscd, QCP-l-qscd, QEVCP-w, QNCP-w, or QNCP-w-gen under ETSI EN 319 411-2." published_at: "2026-05-09" updated_at: "2026-05-09" keywords: - "ETSI EN 319 411-2" - "QCP-n" - "QCP-l" - "QCP-n-qscd" - "QCP-l-qscd" - "QEVCP-w" - "QNCP-w" - "QNCP-w-gen" - "qualified certificate profile selection" - "FAQ" - "QSCD" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # How should QTSPs select an ETSI EN 319 411-2 qualified certificate profile? A focused FAQ on choosing QCP-n, QCP-l, QCP-n-qscd, QCP-l-qscd, QEVCP-w, QNCP-w, or QNCP-w-gen under ETSI EN 319 411-2. *Artifact Guide* *GLOBAL* *ETSI EN 319 411-2* ## ETSI EN 319 411-2 How should QTSPs choose the right qualified certificate profile A standalone answer for certificate policy teams deciding which EN 319 411-2 policy identifier fits a qualified signature, seal, QSCD, or website authentication certificate. Grounded in ETSI EN 319 411-2, ETSI EN 319 411-1, and eIDAS source material. Short answer: select the EN 319 411-2 profile from the certificate's intended qualified use. Use QCP-n for qualified certificates to natural persons, QCP-l for qualified certificates to legal persons, the -qscd variants when the private key must reside in a qualified signature or seal creation device, and the website profiles for qualified website authentication certificates. ## How should a QTSP choose between QCP-n, QCP-l, QSCD, and website profiles? Start with the relying-party purpose and subject type. EN 319 411-2 defines separate policy identifiers for qualified certificates issued to natural persons, qualified certificates issued to legal persons, qualified certificates tied to a QSCD, and qualified website authentication certificates. For signatures, the natural-person route is QCP-n, and QCP-n-qscd is used where the private key related to the certified public key resides in a QSCD. For seals, the legal-person route is QCP-l, and QCP-l-qscd is used where the private key resides in a QSCD. For website authentication, EN 319 411-2 separates QEVCP-w, QNCP-w, and QNCP-w-gen depending on the certificate route and the assurance model behind it. QEVCP-w follows EVCG-based requirements, QNCP-w follows BRG-based requirements for natural or legal persons, and QNCP-w-gen is the general-purpose website-authentication route. If the choice is still unclear, use the subject and assurance model as the tie-breaker: natural person plus signature points to QCP-n or QCP-n-qscd, legal person plus seal points to QCP-l or QCP-l-qscd, legal-person website authentication usually points to QEVCP-w, and natural or legal person website authentication under BRG points to QNCP-w. Use QNCP-w-gen when the website certificate needs the general-purpose route defined in EN 319 411-2 rather than the BRG or EVCG-specific route. - Use QCP-n when the qualified certificate is issued to a natural person for advanced electronic signatures based on a qualified certificate. - Use QCP-l when the qualified certificate is issued to a legal person for advanced electronic seals based on a qualified certificate. - Use QCP-n-qscd or QCP-l-qscd only when the selected signature or seal route requires the private key to reside in a QSCD. - Use QEVCP-w for a qualified website certificate based on EVCG, QNCP-w for a website certificate based on BRG, and QNCP-w-gen for the general-purpose website-authentication profile. Sources for this answer: - [ETSI EN 319 411-2 V2.6.1 EU qualified certificate requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941102/02.06.01_60/en_31941102v020601p.pdf?ref=sorena.io) - Defines the seven EU qualified certificate policy identifiers and describes their natural-person, legal-person, QSCD, and website-authentication use cases. - [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Provides the general certificate policy, CPS, subscriber, repository, and lifecycle requirements that EN 319 411-2 builds on. - [Regulation (EU) No 910/2014 (eIDAS)](https://eur-lex.europa.eu/eli/reg/2014/910/oj/eng?ref=sorena.io) - Legal context for qualified trust services, qualified certificates, electronic signatures, electronic seals, and website authentication. ## What should the profile-selection record show? The record should show why the certificate policy and certificate contents match the qualified service being offered. EN 319 411-2 says that including one of its policy identifiers indicates the certificate is issued and managed according to that policy, so the identifier should not be treated as a cosmetic label. For a QSCD profile, the record needs more than a policy name. It should show why the service uses the -qscd route, how the QSCD condition is reflected in the certificate policy or CPS, and how the certificate contents handle the QSCD statement required for those profiles. - Identify the selected EN 319 411-2 profile and the exact policy identifier or TSP-allocated policy OID used in the certificate. - Record whether the subject is a natural person, a legal person, or a website-authentication subject, because the profile families are split on that basis. - For QCP-n-qscd and QCP-l-qscd, keep evidence that the QSCD route is intended and that the required QSCD qcStatement is included only for those profiles. - For website authentication, record whether the route is QEVCP-w, QNCP-w, or QNCP-w-gen and how that route relates to EVCP, OVCP, IVCP, or EN 319 411-1 WEB-tagged requirements. Sources for this answer: - [ETSI EN 319 411-2 V2.6.1 EU qualified certificate requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941102/02.06.01_60/en_31941102v020601p.pdf?ref=sorena.io) - Supports the profile-selection evidence points: policy identifiers, QSCD-specific certificate content, and website-authentication profile routes. - [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Grounds the underlying NCP, NCP+, EVCP, OVCP, IVCP, WEB, CPS, and certificate lifecycle concepts referenced by EN 319 411-2. - [Regulation (EU) No 910/2014 (eIDAS)](https://eur-lex.europa.eu/eli/reg/2014/910/oj/eng?ref=sorena.io) - Provides the legal frame for qualified certificates and qualified trust-service context behind the profile review. ## When should the selected profile be reviewed? Review the selected profile whenever the certificate purpose, subject population, QSCD handling, website-authentication route, policy OID, CPS wording, or certificate content changes. A profile that was correct for a non-QSCD natural-person certificate may be wrong after a QSCD service launch, and a signature or seal profile does not substitute for a website-authentication profile. The review should compare the certificate policy, CPS, terms and conditions, certificate profile, and issuance process against the selected EN 319 411-2 policy family before new certificates are issued under the changed route. - Reassess when moving between natural-person and legal-person certificates, because QCP-n and QCP-l point to different subject contexts. - Reassess before adding or removing QSCD reliance, because the -qscd profiles carry extra QSCD-specific requirements and certificate-content implications. - Reassess when changing a website certificate route between QEVCP-w, QNCP-w, and QNCP-w-gen, because the underlying assurance model differs. - Reassess when using a TSP-allocated policy OID, because EN 319 411-2 expects the referred policy to clearly identify which EN 319 411-2 policy it adopts as the basis. Sources for this answer: - [ETSI EN 319 411-2 V2.6.1 EU qualified certificate requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941102/02.06.01_60/en_31941102v020601p.pdf?ref=sorena.io) - Supports review triggers tied to subject type, QSCD status, website-authentication route, and TSP-allocated policy OIDs. - [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Provides the general policy, CPS, and certificate lifecycle requirements used when reviewing whether the EN 319 411-2 route still fits. - [Regulation (EU) No 910/2014 (eIDAS)](https://eur-lex.europa.eu/eli/reg/2014/910/oj/eng?ref=sorena.io) - Supports the qualified certificate and qualified trust-service context behind the profile review. ## Primary sources - [ETSI EN 319 411-2 V2.6.1 EU qualified certificate requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941102/02.06.01_60/en_31941102v020601p.pdf?ref=sorena.io) - Defines QCP-n, QCP-l, QCP-n-qscd, QCP-l-qscd, QEVCP-w, QNCP-w, and QNCP-w-gen as EU qualified certificate policy identifiers. - Quote: "EU qualified certificate policy identifiers" - [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Provides the general certificate policy and CPS requirements that EN 319 411-2 incorporates and specializes for EU qualified certificates. - Quote: "Policy and security requirements for Trust Service Providers issuing certificates" - [Regulation (EU) No 910/2014 (eIDAS)](https://eur-lex.europa.eu/eli/reg/2014/910/oj/eng?ref=sorena.io) - Provides the legal context for qualified certificates, qualified trust services, signatures, seals, and website authentication. - Quote: "electronic identification and trust services" ## Topic Guides - [eIDAS QTSP supervision workflow for ETSI EN 319 411-2](/artifacts/global/etsi-en-319-411-2/eidas-qtsp-supervision-workflow.md): Operational workflow for qualified trust service providers using ETSI EN 319 411-2 to manage supervisory-body changes, incidents, termination evidence, trusted-list checks, and assessment records. - [EN 319 411-2 vs EN 319 411-1 Qualified Certs](/artifacts/global/etsi-en-319-411-2/en-319-411-2-vs-en-319-411-1.md): Compare ETSI EN 319 411-2 qualified certificate requirements with EN 319 411-1 general certificate-service requirements, including QCP profiles, QSCD evidence, CP/CPS reuse, and audit boundaries. - [ETSI EN 319 411-2 compliance checklist](/artifacts/global/etsi-en-319-411-2/compliance.md): Compliance checklist for ETSI EN 319 411-2 qualified certificate services, covering policy selection, CP/CPS evidence, identity validation, QSCD status, trusted-list reliance, and certificate status services. - [ETSI EN 319 411-2 FAQ for EU Qualified Certificates](/artifacts/global/etsi-en-319-411-2/faq.md): Answers to common ETSI EN 319 411-2 questions about EU qualified certificate policies, QSCD use, identity validation, trusted lists, and revocation status services. - [ETSI EN 319 411-2 Identity Proofing](/artifacts/global/etsi-en-319-411-2/identity-proofing.md): How EN 319 411-2 applies identity validation for EU qualified certificates, including QCP natural-person, legal-person, website, and evidence-record checks. - [ETSI EN 319 411-2 QSCD Route](/artifacts/global/etsi-en-319-411-2/qscd-route.md): When QCP-n-qscd or QCP-l-qscd is the right EN 319 411-2 route, what QSCD evidence is needed, and which certificate-profile claims must stay aligned. - [ETSI EN 319 411-2 QTSP supervision evidence workflow](/artifacts/global/etsi-en-319-411-2/qtsp-supervision-evidence-workflow.md): Build an assessment-ready QTSP supervision evidence pack for ETSI EN 319 411-2 qualified certificate services, covering policy identifiers, trusted-list checks, incident records, QSCD evidence, and termination controls. - [ETSI EN 319 411-2 qualified certificate operations: issuance, suspension, and revocation](/artifacts/global/etsi-en-319-411-2/qualified-certificate-operations.md): Operational guide for ETSI EN 319 411-2 qualified certificate services: policy identifiers, identity validation, issuance, QSCD handling, revocation status, and relying-party notices. - [ETSI EN 319 411-2 Qualified Certificate Scope](/artifacts/global/etsi-en-319-411-2/qualified-certificate-scope.md): Use ETSI EN 319 411-2 to scope EU qualified certificate services by certificate policy, subject type, QSCD use, website authentication profile, and eIDAS context. - [ETSI EN 319 411-2 requirements map](/artifacts/global/etsi-en-319-411-2/requirements.md): Map ETSI EN 319 411-2 requirements for EU qualified certificate services across QCP profiles, CP/CPS documentation, QSCD use, certificate profiles, revocation, and eIDAS Annex A references. - [ETSI EN 319 411-2 trusted-list evidence](/artifacts/global/etsi-en-319-411-2/trusted-list-evidence.md): Build EN 319 411-2 trusted-list evidence for EU qualified certificate reliance: relying-party notice text, QTSP service identifiers, validation records, and change triggers. - [ETSI EN 319 411-2 trusted-list validation workflow](/artifacts/global/etsi-en-319-411-2/trusted-list-validation-workflow.md): Validate an EN 319 411-2 EU qualified-certificate claim by mapping the certificate service to the QTSP trusted-list entry, policy profile, relying-party notice, and status evidence. - [ETSI EN 319 411-2 vs eIDAS Qualified Trust Services](/artifacts/global/etsi-en-319-411-2/en-319-411-2-vs-eidas-qualified-trust-services.md): Compare ETSI EN 319 411-2 certificate policy requirements with the eIDAS qualified-status, supervision, audit, and trusted-list framework. - [ETSI EN 319 411-2: Certificate Revocation FAQ](/artifacts/global/etsi-en-319-411-2/faq/revocation.md): Answer the ETSI EN 319 411-2 revocation question for qualified certificate services: CPS procedures, 24-hour publication, CRL or OCSP status, and evidence to retain. - [ETSI EN 319 411-2: end-to-end qualified certificate lifecycle management workflow](/artifacts/global/etsi-en-319-411-2/qualified-certificate-lifecycle-workflow.md): Lifecycle workflow for ETSI EN 319 411-2 qualified certificate services, from policy selection and identity validation through issuance, renewal, re-key, modification, revocation, status services, and records. - [ETSI EN 319 411-2: Legal vs Natural Person Certs](/artifacts/global/etsi-en-319-411-2/faq/legal-and-natural-persons.md): ETSI EN 319 411-2 separates qualified certificate policies for natural persons, legal persons, QSCD use, and website authentication subscribers. - [ETSI EN 319 411-2: QCP, QNCP, and QEVCP Profile Selection](/artifacts/global/etsi-en-319-411-2/qcp-qncp-and-qevcp-profile-selection.md): Choose the right ETSI EN 319 411-2 qualified certificate policy profile: QCP-n, QCP-l, QCP-n-qscd, QCP-l-qscd, QEVCP-w, QNCP-w, or QNCP-w-gen. - [ETSI EN 319 411-2: workflow for selecting QCP-n, QCP-l, or QCP-w certificate profile](/artifacts/global/etsi-en-319-411-2/qualified-profile-selector-workflow.md): Select the right ETSI EN 319 411-2 qualified certificate policy profile for signatures, seals, QSCD use, and website authentication. - [How should relying parties use trusted lists under ETSI EN 319 411-2?](/artifacts/global/etsi-en-319-411-2/faq/trusted-lists.md): FAQ on EN 319 411-2 trusted-list reliance for EU qualified certificates: relying-party notices, QTSP service identifiers, validation evidence, and source references. - [QSCD Requirements in ETSI EN 319 411-2](/artifacts/global/etsi-en-319-411-2/faq/qscd.md): How ETSI EN 319 411-2 treats QSCD-backed qualified certificates, including QCP-n-qscd and QCP-l-qscd policies, key-use controls, QSCD verification, and certificate profile evidence. - [QTSP Supervision and ETSI EN 319 411-2](/artifacts/global/etsi-en-319-411-2/faq/qtsp-supervision.md): How ETSI EN 319 411-2 supports QTSP supervision evidence for qualified certificate services, trusted-list reliance, liability responsibility, incident records, and audit preparation. - [Qualified certificates under ETSI EN 319 411-2](/artifacts/global/etsi-en-319-411-2/faq/qualified-certificates.md): FAQ answer for QTSPs on how ETSI EN 319 411-2 treats EU qualified certificates, policy identifiers, QSCD variants, website certificates, and lifecycle evidence. - [What are the qualified certificate policies in ETSI EN 319 411-2?](/artifacts/global/etsi-en-319-411-2/faq/qualified-certificate-policies.md): FAQ on ETSI EN 319 411-2 qualified certificate policies, including QCP-n, QCP-l, QSCD variants, QEVCP-w, QNCP-w, and policy identifiers. - [Which QWAC Profile Fits ETSI EN 319 411-2?](/artifacts/global/etsi-en-319-411-2/faq/website-authentication-certificates.md): Choose between QEVCP-w, QNCP-w, and QNCP-w-gen for qualified website authentication certificates under ETSI EN 319 411-2. *Recommended next step* *Placement: after practical guidance* ## Map each qualified certificate route to the right policy identifier Use this answer to align certificate policy, CPS wording, certificate contents, and review triggers for QCP, QSCD, and qualified website authentication routes. - [Check profile fit](/solutions/assessment.md): Compare certificate purpose, subject type, QSCD use, and website-authentication route against the selected policy identifier. - [Research a profile question](/solutions/research-copilot.md): Trace profile selection issues back to EN 319 411-2, EN 319 411-1, and eIDAS source language. - [Review a certificate route](/contact.md): Walk through the selected QCP, QSCD, or website-authentication route before issuing certificates under it. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/global/etsi-en-319-411-2/faq/qualified-profile-selection