--- title: "Which QWAC Profile Fits ETSI EN 319 411-2?" canonical_url: "https://www.sorena.io/artifacts/global/etsi-en-319-411-2/faq/website-authentication-certificates" source_url: "https://www.sorena.io/artifacts/global/etsi-en-319-411-2/faq/website-authentication-certificates" author: "Sorena AI" description: "Choose between QEVCP-w, QNCP-w, and QNCP-w-gen for qualified website authentication certificates under ETSI EN 319 411-2." published_at: "2026-05-09" updated_at: "2026-05-09" keywords: - "ETSI EN 319 411-2" - "QWAC" - "QEVCP-w" - "QNCP-w" - "QNCP-w-gen" - "qualified website authentication certificates" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # Which QWAC Profile Fits ETSI EN 319 411-2? Choose between QEVCP-w, QNCP-w, and QNCP-w-gen for qualified website authentication certificates under ETSI EN 319 411-2. *FAQ* *GLOBAL* *ETSI EN 319 411-2* ## ETSI EN 319 411-2 Which QWAC profile should a QTSP use? A source-grounded answer for selecting the ETSI EN 319 411-2 qualified website authentication certificate profile. Use it to separate QEVCP-w, QNCP-w, and QNCP-w-gen evidence before updating a CP, CPS, certificate profile, or audit pack. Use the QWAC profile that matches the website certificate assurance route. QEVCP-w is the extended-validation route for legal-person website certificates, QNCP-w is the organization-validated or individual-validated route based on NCP plus OVCP or IVCP, and QNCP-w-gen is the general-purpose qualified website authentication route based on NCP plus the web-authentication requirements in EN 319 411-1. ## How do the three QWAC profiles differ? ETSI EN 319 411-2 defines three EU qualified website authentication certificate policy profiles: QEVCP-w, QNCP-w, and QNCP-w-gen. The profile choice is not cosmetic because the selected policy determines which EN 319 411-1 baseline, CA/Browser Forum dependency, and qualified-certificate additions must be reflected in the CP, CPS, certificate profile, and evidence pack. Choose QEVCP-w when the qualified website certificate is issued to a legal person and follows the Extended Validation Certificate Policy route. Choose QNCP-w when the route is based on NCP plus either OVCP or IVCP. Choose QNCP-w-gen when the service is a general-purpose qualified website authentication certificate route based on NCP plus selected web-authentication requirements in EN 319 411-1. - QEVCP-w: legal-person QWAC route based on EVCP and the CA/Browser Forum Extended Validation Guidelines. - QNCP-w: natural-person or legal-person QWAC route based on NCP plus OVCP or IVCP and the CA/Browser Forum Baseline Requirements. - QNCP-w-gen: general-purpose QWAC route based on NCP plus selected web-authentication requirements in EN 319 411-1. Sources for this answer: - [ETSI EN 319 411-2 V2.6.1 EU qualified certificate requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941102/02.06.01_60/en_31941102v020601p.pdf?ref=sorena.io) - Clauses 4.2.2, 5.1, and 5.3 define QEVCP-w, QNCP-w, and QNCP-w-gen and map them to EVCP, NCP, OVCP, IVCP, BRG, EVCG, and web-authentication dependencies. - [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - EN 319 411-1 supplies the EVCP, OVCP, IVCP, NCP, and web-authentication requirements that EN 319 411-2 builds on for qualified website authentication profiles. ## What must be proven before issuing a QWAC? For QEVCP-w, QNCP-w, and QNCP-w-gen, EN 319 411-2 ties initial validation to the subscriber type and the domain name. If the subscriber is a natural person, verify the subscriber identity and link with the domain name using the QCP-n route. If the subscriber is a legal person, verify the legal-person identity, authorized-representative route, and link with the domain name using the QCP-l route. That means the evidence pack should not stop at a domain-control check. It should also show the selected QWAC policy identifier, the subscriber type, the identity route, the domain-name link, the applicable CA/Browser Forum or web-authentication dependency, and how those records are reflected in the CP, CPS, subscriber agreement, certificate contents, and repository publication. - Record the selected policy identifier: QEVCP-w, QNCP-w, or QNCP-w-gen. - Keep separate evidence for subscriber identity, authority to request the certificate, and the subscriber's link with the domain name. - For QEVCP-w and QNCP-w, track conflicts or updates in the applicable BRG or EVCG route because EN 319 411-2 gives those requirements precedence in conflict cases. Sources for this answer: - [ETSI EN 319 411-2 V2.6.1 EU qualified certificate requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941102/02.06.01_60/en_31941102v020601p.pdf?ref=sorena.io) - Clause 6.2.2 applies QCP-n or QCP-l identity validation to QWAC subscribers and adds verification of the subscriber's link with the domain name. - [Regulation (EU) No 910/2014 (eIDAS)](https://eur-lex.europa.eu/eli/reg/2014/910/oj/eng?ref=sorena.io) - eIDAS provides the EU legal context referenced by EN 319 411-2 for qualified certificates used for website authentication. ## What review checks keep the QWAC profile defensible? Review the QWAC profile whenever the QTSP changes its CP/CPS, certificate profile, subscriber validation workflow, CA/RA responsibility split, repository publication process, or CA/Browser Forum dependency. The review should confirm that the public certificate policy OID and the evidence trail still describe the same qualified website authentication route. The most useful audit file is a profile matrix: one row for each QWAC profile offered, with the policy identifier, subscriber type, EN 319 411-1 dependency, CA/Browser Forum or web-authentication dependency, identity-validation route, domain-link evidence, certificate-profile checks, and repository/status-service evidence. - Do not market a certificate as a QWAC unless the EN 319 411-2 profile, qualified status context, and certificate-policy evidence all line up. - Do not reuse a generic TLS certificate checklist when the qualified website authentication route requires a specific EN 319 411-2 policy identifier. - Do not merge QEVCP-w, QNCP-w, and QNCP-w-gen findings into one control row; each route has different dependencies and evidence. Sources for this answer: - [ETSI EN 319 411-2 V2.6.1 EU qualified certificate requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941102/02.06.01_60/en_31941102v020601p.pdf?ref=sorena.io) - Clause 5.3 lists the policy identifiers relying parties can use to assess certificate suitability and trustworthiness under the eIDAS framework. - [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - EN 319 411-1 provides the repository, subscriber validation, certificate lifecycle, and web-authentication controls that remain part of the QWAC evidence trail. ## Primary sources - [ETSI EN 319 411-2 V2.6.1 EU qualified certificate requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941102/02.06.01_60/en_31941102v020601p.pdf?ref=sorena.io) - Primary standard for EU qualified certificate policy profiles, including QEVCP-w, QNCP-w, and QNCP-w-gen. - Quote: "EU qualified website authentication certificates" - [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Base ETSI certificate policy standard used by EN 319 411-2 for NCP, EVCP, OVCP, IVCP, and web-authentication requirements. - Quote: "requirements common to web-authentication certificates" - [Regulation (EU) No 910/2014 (eIDAS)](https://eur-lex.europa.eu/eli/reg/2014/910/oj/eng?ref=sorena.io) - EU legal framework referenced by EN 319 411-2 for qualified certificates and website authentication trust services. - Quote: "electronic identification and trust services" ## Topic Guides - [eIDAS QTSP supervision workflow for ETSI EN 319 411-2](/artifacts/global/etsi-en-319-411-2/eidas-qtsp-supervision-workflow.md): Operational workflow for qualified trust service providers using ETSI EN 319 411-2 to manage supervisory-body changes, incidents, termination evidence, trusted-list checks, and assessment records. - [EN 319 411-2 vs EN 319 411-1 Qualified Certs](/artifacts/global/etsi-en-319-411-2/en-319-411-2-vs-en-319-411-1.md): Compare ETSI EN 319 411-2 qualified certificate requirements with EN 319 411-1 general certificate-service requirements, including QCP profiles, QSCD evidence, CP/CPS reuse, and audit boundaries. - [ETSI EN 319 411-2 compliance checklist](/artifacts/global/etsi-en-319-411-2/compliance.md): Compliance checklist for ETSI EN 319 411-2 qualified certificate services, covering policy selection, CP/CPS evidence, identity validation, QSCD status, trusted-list reliance, and certificate status services. - [ETSI EN 319 411-2 FAQ for EU Qualified Certificates](/artifacts/global/etsi-en-319-411-2/faq.md): Answers to common ETSI EN 319 411-2 questions about EU qualified certificate policies, QSCD use, identity validation, trusted lists, and revocation status services. - [ETSI EN 319 411-2 Identity Proofing](/artifacts/global/etsi-en-319-411-2/identity-proofing.md): How EN 319 411-2 applies identity validation for EU qualified certificates, including QCP natural-person, legal-person, website, and evidence-record checks. - [ETSI EN 319 411-2 QSCD Route](/artifacts/global/etsi-en-319-411-2/qscd-route.md): When QCP-n-qscd or QCP-l-qscd is the right EN 319 411-2 route, what QSCD evidence is needed, and which certificate-profile claims must stay aligned. - [ETSI EN 319 411-2 QTSP supervision evidence workflow](/artifacts/global/etsi-en-319-411-2/qtsp-supervision-evidence-workflow.md): Build an assessment-ready QTSP supervision evidence pack for ETSI EN 319 411-2 qualified certificate services, covering policy identifiers, trusted-list checks, incident records, QSCD evidence, and termination controls. - [ETSI EN 319 411-2 qualified certificate operations: issuance, suspension, and revocation](/artifacts/global/etsi-en-319-411-2/qualified-certificate-operations.md): Operational guide for ETSI EN 319 411-2 qualified certificate services: policy identifiers, identity validation, issuance, QSCD handling, revocation status, and relying-party notices. - [ETSI EN 319 411-2 Qualified Certificate Scope](/artifacts/global/etsi-en-319-411-2/qualified-certificate-scope.md): Use ETSI EN 319 411-2 to scope EU qualified certificate services by certificate policy, subject type, QSCD use, website authentication profile, and eIDAS context. - [ETSI EN 319 411-2 requirements map](/artifacts/global/etsi-en-319-411-2/requirements.md): Map ETSI EN 319 411-2 requirements for EU qualified certificate services across QCP profiles, CP/CPS documentation, QSCD use, certificate profiles, revocation, and eIDAS Annex A references. - [ETSI EN 319 411-2 trusted-list evidence](/artifacts/global/etsi-en-319-411-2/trusted-list-evidence.md): Build EN 319 411-2 trusted-list evidence for EU qualified certificate reliance: relying-party notice text, QTSP service identifiers, validation records, and change triggers. - [ETSI EN 319 411-2 trusted-list validation workflow](/artifacts/global/etsi-en-319-411-2/trusted-list-validation-workflow.md): Validate an EN 319 411-2 EU qualified-certificate claim by mapping the certificate service to the QTSP trusted-list entry, policy profile, relying-party notice, and status evidence. - [ETSI EN 319 411-2 vs eIDAS Qualified Trust Services](/artifacts/global/etsi-en-319-411-2/en-319-411-2-vs-eidas-qualified-trust-services.md): Compare ETSI EN 319 411-2 certificate policy requirements with the eIDAS qualified-status, supervision, audit, and trusted-list framework. - [ETSI EN 319 411-2: Certificate Revocation FAQ](/artifacts/global/etsi-en-319-411-2/faq/revocation.md): Answer the ETSI EN 319 411-2 revocation question for qualified certificate services: CPS procedures, 24-hour publication, CRL or OCSP status, and evidence to retain. - [ETSI EN 319 411-2: end-to-end qualified certificate lifecycle management workflow](/artifacts/global/etsi-en-319-411-2/qualified-certificate-lifecycle-workflow.md): Lifecycle workflow for ETSI EN 319 411-2 qualified certificate services, from policy selection and identity validation through issuance, renewal, re-key, modification, revocation, status services, and records. - [ETSI EN 319 411-2: Legal vs Natural Person Certs](/artifacts/global/etsi-en-319-411-2/faq/legal-and-natural-persons.md): ETSI EN 319 411-2 separates qualified certificate policies for natural persons, legal persons, QSCD use, and website authentication subscribers. - [ETSI EN 319 411-2: QCP, QNCP, and QEVCP Profile Selection](/artifacts/global/etsi-en-319-411-2/qcp-qncp-and-qevcp-profile-selection.md): Choose the right ETSI EN 319 411-2 qualified certificate policy profile: QCP-n, QCP-l, QCP-n-qscd, QCP-l-qscd, QEVCP-w, QNCP-w, or QNCP-w-gen. - [ETSI EN 319 411-2: workflow for selecting QCP-n, QCP-l, or QCP-w certificate profile](/artifacts/global/etsi-en-319-411-2/qualified-profile-selector-workflow.md): Select the right ETSI EN 319 411-2 qualified certificate policy profile for signatures, seals, QSCD use, and website authentication. - [How should QTSPs select an ETSI EN 319 411-2 qualified certificate profile?](/artifacts/global/etsi-en-319-411-2/faq/qualified-profile-selection.md): A focused FAQ on choosing QCP-n, QCP-l, QCP-n-qscd, QCP-l-qscd, QEVCP-w, QNCP-w, or QNCP-w-gen under ETSI EN 319 411-2. - [How should relying parties use trusted lists under ETSI EN 319 411-2?](/artifacts/global/etsi-en-319-411-2/faq/trusted-lists.md): FAQ on EN 319 411-2 trusted-list reliance for EU qualified certificates: relying-party notices, QTSP service identifiers, validation evidence, and source references. - [QSCD Requirements in ETSI EN 319 411-2](/artifacts/global/etsi-en-319-411-2/faq/qscd.md): How ETSI EN 319 411-2 treats QSCD-backed qualified certificates, including QCP-n-qscd and QCP-l-qscd policies, key-use controls, QSCD verification, and certificate profile evidence. - [QTSP Supervision and ETSI EN 319 411-2](/artifacts/global/etsi-en-319-411-2/faq/qtsp-supervision.md): How ETSI EN 319 411-2 supports QTSP supervision evidence for qualified certificate services, trusted-list reliance, liability responsibility, incident records, and audit preparation. - [Qualified certificates under ETSI EN 319 411-2](/artifacts/global/etsi-en-319-411-2/faq/qualified-certificates.md): FAQ answer for QTSPs on how ETSI EN 319 411-2 treats EU qualified certificates, policy identifiers, QSCD variants, website certificates, and lifecycle evidence. - [What are the qualified certificate policies in ETSI EN 319 411-2?](/artifacts/global/etsi-en-319-411-2/faq/qualified-certificate-policies.md): FAQ on ETSI EN 319 411-2 qualified certificate policies, including QCP-n, QCP-l, QSCD variants, QEVCP-w, QNCP-w, and policy identifiers. *Recommended next step* *Placement: after practical guidance* ## Map each qualified website authentication route to its policy and proof Use this FAQ as the starting point for a QWAC profile matrix covering policy identifiers, subscriber validation, domain-link evidence, and certificate-profile checks. - [Build the evidence matrix](/solutions/assessment.md): Convert QEVCP-w, QNCP-w, and QNCP-w-gen requirements into owned controls and review checkpoints. - [Check a profile question](/solutions/research-copilot.md): Use cited research support when the route, subscriber type, or source dependency is unclear. - [Talk through implementation](/contact.md): Review the profile choice, certificate-policy evidence, and next QWAC control updates with Sorena. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/global/etsi-en-319-411-2/faq/website-authentication-certificates