ETSI EN 319 411-2 Qualified certificate lifecycle workflow

The first workflow gate is not a generic compliance intake. It is a certificate-policy decision: identify whether the service is issuing qualified certificates to natural persons, legal persons, or website-authentication subscribers, and whether the claim depends on a QSCD.

Record the selected policy profile before registration work begins. EN 319 411-2 names QCP-n, QCP-l, QCP-n-qscd, QCP-l-qscd, QEVCP-w, QNCP-w, and QNCP-w-gen, and links each route to inherited Part 1 requirements such as NCP, NCP+, EVCP, OVCP, IVCP, DVCP, and WEB-tagged controls. This selection determines the identity checks, certificate profile, QSCD evidence, browser-forum dependencies, relying-party notice, and lifecycle records that follow.

Registration evidence should be collected before the CA signs anything. EN 319 411-2 points qualified-certificate identity validation to the person type: natural-person identity for QCP-n routes, legal-person identity and authorized representative evidence for QCP-l routes, and subscriber identity plus domain-link evidence for qualified website authentication routes.

For every initial issuance, renewal, re-key, or modification, the application workflow should prove that the subscriber and subject were registered, the attributes to be certified are still correct, the identity-proofing method is still allowed by the CPS, and the certificate request is accurate, authorized, complete, and linked to the registration evidence.

The issuance gate should verify that the certificate profile matches the policy selected at intake. EN 319 411-2 requires appropriate qcStatements, requires the QSCD qcStatement for QCP-n-qscd and QCP-l-qscd, and says the QSCD qcStatement must not be included outside those QSCD policy routes.

The relying-party notice is part of the lifecycle because it explains how the certificate can be relied on as an EU qualified certificate. EN 319 411-2 requires the notice to point relying parties to the appropriate EU trusted-list entry for the QTSP trust anchor, and the terms-and-conditions section requires a clear statement that the policy is for EU qualified certificates and whether QSCD use is required.

Treat renewal, re-key, and modification as separate lifecycle events. EN 319 411-1 distinguishes renewal as a new certificate using the previously certified public key, re-key as a new certificate with a new subject public key, and modification as a new certificate caused by changes to certified information other than the subscriber public key.

For EN 319 411-2 website-authentication routes, QEVCP-w has specific reuse and validity-period dependencies tied to EVCG, while non-QEVCP-w routes inherit the applicable Part 1 renewal, re-key, and modification requirements. For QSCD routes, the workflow must also monitor QSCD certification status and define CPS measures for status changes before certificate expiry.

The revocation workflow should be documented in the CPS before incidents occur. EN 319 411-1 requires the CPS to identify who can submit revocation requests or reports, how requests are submitted, confirmation procedures, reasons for revocation or suspension, the distribution mechanism for status information, and the maximum delays for status changes.

For qualified certificate services, status information is not just an operational convenience. EN 319 411-2 carries forward Part 1 status-service requirements and adds that revocation status information must be available beyond the certificate validity period through at least one method used during validity, such as CRL or OCSP, except for the validity-assured short-term certificate route described by the standard.

Close each lifecycle event with records that can be read after the certificate, CA key, supplier process, or TSP operation changes. EN 319 411-2 adds qualified-certificate record expectations to the inherited audit logging and records archival controls, including the need to maintain information as necessary to meet legal requirements beyond TSP termination.

Keep the conformance boundary explicit. EN 319 411-2 states that conformance to the standard alone does not imply that the TSP or its certificates are qualified under eIDAS, and Annex A says its policy mapping should not be treated as a definitive legal conformance statement.