--- title: "ETSI EN 319 411-2: Certificate Revocation FAQ" canonical_url: "https://www.sorena.io/artifacts/global/etsi-en-319-411-2/faq/revocation" source_url: "https://www.sorena.io/artifacts/global/etsi-en-319-411-2/faq/revocation" author: "Sorena AI" description: "Answer the ETSI EN 319 411-2 revocation question for qualified certificate services: CPS procedures, 24-hour publication, CRL or OCSP status, and evidence to retain." published_at: "2026-05-09" updated_at: "2026-05-09" keywords: - "ETSI EN 319 411-2" - "qualified certificate revocation" - "CRL" - "OCSP" - "certificate status" - "Revocation" - "FAQ" - "CRL and OCSP" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # ETSI EN 319 411-2: Certificate Revocation FAQ Answer the ETSI EN 319 411-2 revocation question for qualified certificate services: CPS procedures, 24-hour publication, CRL or OCSP status, and evidence to retain. *Artifact Guide* *GLOBAL* *ETSI EN 319 411-2* ## ETSI EN 319 411-2 How should qualified trust service providers handle revocation under ETSI EN 319 411-2 A standalone answer for qualified trust service teams translating ETSI EN 319 411-2 revocation clauses into CPS procedures, status publication, and audit evidence. Grounded in external standards and official source URLs. Use it as implementation guidance, not for legal interpretation. Short answer: under ETSI EN 319 411-2, a qualified trust service provider should treat revocation as a controlled certificate lifecycle process. The CPS needs to say who may request or report revocation, how requests are authenticated, when status changes are published, and how CRL or OCSP status remains available to relying parties. ## What should revocation procedures cover? ETSI EN 319 411-2 makes the EN 319 411-1 revocation request controls applicable to qualified certificate services. In practice, the QTSP's CPS should define who can submit revocation requests or event reports, how they are submitted, when confirmation is required, what reasons can lead to suspension or revocation, and which mechanism distributes revocation status information. The timing control is concrete: the actual certificate status change must be available to relying parties no later than 24 hours after receipt of the revocation or suspension request. If confirmation cannot be completed within that window, the CPS needs an exception procedure and the QTSP must record the actions taken and justification. - Authenticate each revocation request or event report and check that it comes from an authorized source before changing certificate status. - Process revocation requests and revocation-related event reports on receipt, with UTC-synchronized time used for the revocation service. - Apply the 24-hour maximum delay to every revocation status method in use when both CRL and OCSP can lag. Sources for this answer: - [ETSI EN 319 411-2 V2.6.1 EU qualified certificate requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941102/02.06.01_60/en_31941102v020601p.pdf?ref=sorena.io) - Clause 6.2.4 makes the EN 319 411-1 revocation request requirements applicable to EU qualified certificate services. - [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Clause 6.2.4 defines CPS content for revocation requests, the 24-hour publication limit, UTC synchronization, and authorized-source checks. - [Regulation (EU) No 910/2014 (eIDAS)](https://eur-lex.europa.eu/eli/reg/2014/910/oj/eng?ref=sorena.io) - Article 24.3 is mapped by ETSI EN 319 411-2 to revocation request handling and certificate revocation clauses for qualified certificate issuers. ## What evidence should support revocation under ETSI EN 319 411-2? Evidence should show that the QTSP can receive, authenticate, decide, publish, and preserve revocation status consistently for the qualified certificate profiles it issues. The useful audit trail is not a generic owner list; it is the sequence from request or event report through certificate database update and CRL or OCSP publication. For revoked or suspended certificates, keep enough records to prove the received request time, authorization check, confirmation or exception path, decision time, status publication time, and notification to the subject or subscriber where possible. - CPS extracts covering revocation request submitters, submission channels, confirmation rules, suspension or revocation reasons, CRL or OCSP distribution, and maximum delays. - Timestamped revocation tickets or logs showing receipt, authorization, confirmation status, decision, certificate database update, CRL or OCSP publication, and any 24-hour exception justification. - Status-service evidence showing 24/7 availability, integrity and authenticity protections, consistent updates across CRL and OCSP when both are used, and public international availability. Sources for this answer: - [ETSI EN 319 411-2 V2.6.1 EU qualified certificate requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941102/02.06.01_60/en_31941102v020601p.pdf?ref=sorena.io) - Clause 6.3.10 adds qualified-certificate status requirements beyond certificate validity and requires practices statements and terms to explain how those requirements are met. - [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Clauses 6.3.9 and 6.3.10 support evidence for revocation decisions, notification, CRL publication, OCSP or CRL support, and consistency across status methods. - [Regulation (EU) No 910/2014 (eIDAS)](https://eur-lex.europa.eu/eli/reg/2014/910/oj/eng?ref=sorena.io) - Article 24.4 is reflected in ETSI EN 319 411-2 status-service requirements for relying-party access to validity or revocation status. ## What checklist should teams use for revocation under ETSI EN 319 411-2? Use a checklist that follows the certificate lifecycle clauses rather than a general compliance workflow. The review should prove that revocation requests are controlled, revoked certificates are not reinstated, and relying parties can obtain status information through the published mechanisms. - Map each qualified certificate profile in scope to its revocation request process, including authorized submitters, confirmation rules, future-dated requests, emergency reasons, and UTC time source. - Verify that non-expired certificates are revoked when they are no longer compliant with the applicable certificate policy, when known changes affect certificate validity, or when the cryptography no longer ensures the binding between subject and public key. - Check CRL handling where CRLs are used: publication at least every 24 hours until the last CRL, nextUpdate values, signer, expired revoked certificate handling, and last-CRL preservation. - Check OCSP handling where OCSP is used: archive cut-off use for status beyond expiry, last OCSP answers where applicable, and documented interpretation when OCSP and CRL update delays differ. Sources for this answer: - [ETSI EN 319 411-2 V2.6.1 EU qualified certificate requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941102/02.06.01_60/en_31941102v020601p.pdf?ref=sorena.io) - Clause 6.3.10 specifies CRL and OCSP requirements for making qualified-certificate revocation status available beyond validity. - [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Clause 6.3.9 defines revocation triggers, no reinstatement after definitive revocation, CRL timing, CARL timing, and short-term certificate handling. - [Regulation (EU) No 910/2014 (eIDAS)](https://eur-lex.europa.eu/eli/reg/2014/910/oj/eng?ref=sorena.io) - ETSI EN 319 411-2 maps eIDAS certificate revocation and relying-party status requirements to clauses 6.2.4, 6.3.9, and 6.3.10. ## Primary sources - [ETSI EN 319 411-2 V2.6.1 EU qualified certificate requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941102/02.06.01_60/en_31941102v020601p.pdf?ref=sorena.io) - Primary source for applying EN 319 411-1 revocation controls to EU qualified certificate services and for qualified-certificate status rules beyond certificate validity. - Quote: "beyond the validity period" - [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Supporting source for CPS revocation procedures, 24-hour status publication, CRL and OCSP service requirements, and records of revocation-related requests and actions. - Quote: "at most 24 hours" - [Regulation (EU) No 910/2014 (eIDAS)](https://eur-lex.europa.eu/eli/reg/2014/910/oj/eng?ref=sorena.io) - Legal source for qualified-certificate revocation and relying-party validity or revocation status expectations that ETSI EN 319 411-2 maps in Annex A. - Quote: "validity or revocation status" ## Topic Guides - [eIDAS QTSP supervision workflow for ETSI EN 319 411-2](/artifacts/global/etsi-en-319-411-2/eidas-qtsp-supervision-workflow.md): Operational workflow for qualified trust service providers using ETSI EN 319 411-2 to manage supervisory-body changes, incidents, termination evidence, trusted-list checks, and assessment records. - [EN 319 411-2 vs EN 319 411-1 Qualified Certs](/artifacts/global/etsi-en-319-411-2/en-319-411-2-vs-en-319-411-1.md): Compare ETSI EN 319 411-2 qualified certificate requirements with EN 319 411-1 general certificate-service requirements, including QCP profiles, QSCD evidence, CP/CPS reuse, and audit boundaries. - [ETSI EN 319 411-2 compliance checklist](/artifacts/global/etsi-en-319-411-2/compliance.md): Compliance checklist for ETSI EN 319 411-2 qualified certificate services, covering policy selection, CP/CPS evidence, identity validation, QSCD status, trusted-list reliance, and certificate status services. - [ETSI EN 319 411-2 FAQ for EU Qualified Certificates](/artifacts/global/etsi-en-319-411-2/faq.md): Answers to common ETSI EN 319 411-2 questions about EU qualified certificate policies, QSCD use, identity validation, trusted lists, and revocation status services. - [ETSI EN 319 411-2 Identity Proofing](/artifacts/global/etsi-en-319-411-2/identity-proofing.md): How EN 319 411-2 applies identity validation for EU qualified certificates, including QCP natural-person, legal-person, website, and evidence-record checks. - [ETSI EN 319 411-2 QSCD Route](/artifacts/global/etsi-en-319-411-2/qscd-route.md): When QCP-n-qscd or QCP-l-qscd is the right EN 319 411-2 route, what QSCD evidence is needed, and which certificate-profile claims must stay aligned. - [ETSI EN 319 411-2 QTSP supervision evidence workflow](/artifacts/global/etsi-en-319-411-2/qtsp-supervision-evidence-workflow.md): Build an assessment-ready QTSP supervision evidence pack for ETSI EN 319 411-2 qualified certificate services, covering policy identifiers, trusted-list checks, incident records, QSCD evidence, and termination controls. - [ETSI EN 319 411-2 qualified certificate operations: issuance, suspension, and revocation](/artifacts/global/etsi-en-319-411-2/qualified-certificate-operations.md): Operational guide for ETSI EN 319 411-2 qualified certificate services: policy identifiers, identity validation, issuance, QSCD handling, revocation status, and relying-party notices. - [ETSI EN 319 411-2 Qualified Certificate Scope](/artifacts/global/etsi-en-319-411-2/qualified-certificate-scope.md): Use ETSI EN 319 411-2 to scope EU qualified certificate services by certificate policy, subject type, QSCD use, website authentication profile, and eIDAS context. - [ETSI EN 319 411-2 requirements map](/artifacts/global/etsi-en-319-411-2/requirements.md): Map ETSI EN 319 411-2 requirements for EU qualified certificate services across QCP profiles, CP/CPS documentation, QSCD use, certificate profiles, revocation, and eIDAS Annex A references. - [ETSI EN 319 411-2 trusted-list evidence](/artifacts/global/etsi-en-319-411-2/trusted-list-evidence.md): Build EN 319 411-2 trusted-list evidence for EU qualified certificate reliance: relying-party notice text, QTSP service identifiers, validation records, and change triggers. - [ETSI EN 319 411-2 trusted-list validation workflow](/artifacts/global/etsi-en-319-411-2/trusted-list-validation-workflow.md): Validate an EN 319 411-2 EU qualified-certificate claim by mapping the certificate service to the QTSP trusted-list entry, policy profile, relying-party notice, and status evidence. - [ETSI EN 319 411-2 vs eIDAS Qualified Trust Services](/artifacts/global/etsi-en-319-411-2/en-319-411-2-vs-eidas-qualified-trust-services.md): Compare ETSI EN 319 411-2 certificate policy requirements with the eIDAS qualified-status, supervision, audit, and trusted-list framework. - [ETSI EN 319 411-2: end-to-end qualified certificate lifecycle management workflow](/artifacts/global/etsi-en-319-411-2/qualified-certificate-lifecycle-workflow.md): Lifecycle workflow for ETSI EN 319 411-2 qualified certificate services, from policy selection and identity validation through issuance, renewal, re-key, modification, revocation, status services, and records. - [ETSI EN 319 411-2: Legal vs Natural Person Certs](/artifacts/global/etsi-en-319-411-2/faq/legal-and-natural-persons.md): ETSI EN 319 411-2 separates qualified certificate policies for natural persons, legal persons, QSCD use, and website authentication subscribers. - [ETSI EN 319 411-2: QCP, QNCP, and QEVCP Profile Selection](/artifacts/global/etsi-en-319-411-2/qcp-qncp-and-qevcp-profile-selection.md): Choose the right ETSI EN 319 411-2 qualified certificate policy profile: QCP-n, QCP-l, QCP-n-qscd, QCP-l-qscd, QEVCP-w, QNCP-w, or QNCP-w-gen. - [ETSI EN 319 411-2: workflow for selecting QCP-n, QCP-l, or QCP-w certificate profile](/artifacts/global/etsi-en-319-411-2/qualified-profile-selector-workflow.md): Select the right ETSI EN 319 411-2 qualified certificate policy profile for signatures, seals, QSCD use, and website authentication. - [How should QTSPs select an ETSI EN 319 411-2 qualified certificate profile?](/artifacts/global/etsi-en-319-411-2/faq/qualified-profile-selection.md): A focused FAQ on choosing QCP-n, QCP-l, QCP-n-qscd, QCP-l-qscd, QEVCP-w, QNCP-w, or QNCP-w-gen under ETSI EN 319 411-2. - [How should relying parties use trusted lists under ETSI EN 319 411-2?](/artifacts/global/etsi-en-319-411-2/faq/trusted-lists.md): FAQ on EN 319 411-2 trusted-list reliance for EU qualified certificates: relying-party notices, QTSP service identifiers, validation evidence, and source references. - [QSCD Requirements in ETSI EN 319 411-2](/artifacts/global/etsi-en-319-411-2/faq/qscd.md): How ETSI EN 319 411-2 treats QSCD-backed qualified certificates, including QCP-n-qscd and QCP-l-qscd policies, key-use controls, QSCD verification, and certificate profile evidence. - [QTSP Supervision and ETSI EN 319 411-2](/artifacts/global/etsi-en-319-411-2/faq/qtsp-supervision.md): How ETSI EN 319 411-2 supports QTSP supervision evidence for qualified certificate services, trusted-list reliance, liability responsibility, incident records, and audit preparation. - [Qualified certificates under ETSI EN 319 411-2](/artifacts/global/etsi-en-319-411-2/faq/qualified-certificates.md): FAQ answer for QTSPs on how ETSI EN 319 411-2 treats EU qualified certificates, policy identifiers, QSCD variants, website certificates, and lifecycle evidence. - [What are the qualified certificate policies in ETSI EN 319 411-2?](/artifacts/global/etsi-en-319-411-2/faq/qualified-certificate-policies.md): FAQ on ETSI EN 319 411-2 qualified certificate policies, including QCP-n, QCP-l, QSCD variants, QEVCP-w, QNCP-w, and policy identifiers. - [Which QWAC Profile Fits ETSI EN 319 411-2?](/artifacts/global/etsi-en-319-411-2/faq/website-authentication-certificates.md): Choose between QEVCP-w, QNCP-w, and QNCP-w-gen for qualified website authentication certificates under ETSI EN 319 411-2. *Recommended next step* *Placement: after practical guidance* ## Operationalize qualified-certificate revocation controls Use this ETSI EN 319 411-2 guidance to align CPS text, revocation tickets, certificate database updates, and CRL or OCSP status evidence. - [Turn the answer into controls](/solutions/assessment.md): Convert the guidance into accountable tasks, evidence requests, and review milestones. - [Ask a scoped follow-up](/solutions/research-copilot.md): Use cited research support when scope, source interpretation, or evidence ownership is unclear. - [Talk through implementation](/contact.md): Review scope, evidence, owners, and the next compliance actions with Sorena. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/global/etsi-en-319-411-2/faq/revocation