--- title: "ETSI EN 319 411-2 qualified certificate operations: issuance, suspension, and revocation" canonical_url: "https://www.sorena.io/artifacts/global/etsi-en-319-411-2/qualified-certificate-operations" source_url: "https://www.sorena.io/artifacts/global/etsi-en-319-411-2/qualified-certificate-operations" author: "Sorena AI" description: "Operational guide for ETSI EN 319 411-2 qualified certificate services: policy identifiers, identity validation, issuance, QSCD handling, revocation status, and relying-party notices." published_at: "2026-05-09" updated_at: "2026-05-09" keywords: - "ETSI EN 319 411-2" - "EU qualified certificates" - "qualified certificate operations" - "QTSP" - "QSCD" - "certificate status services" - "qualified certificates" - "certificate lifecycle" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # ETSI EN 319 411-2 qualified certificate operations: issuance, suspension, and revocation Operational guide for ETSI EN 319 411-2 qualified certificate services: policy identifiers, identity validation, issuance, QSCD handling, revocation status, and relying-party notices. *Artifact Guide* *GLOBAL* *ETSI EN 319 411-2* ## ETSI EN 319 411-2 qualified certificate operations Run EU qualified certificate services with the operational evidence EN 319 411-2 expects across policy selection, identity validation, issuance, QSCD handling, and status services. Use this page to align CP/CPS clauses, certificate policy identifiers, subscriber terms, relying-party notices, and change records before an assessment or customer review. ETSI EN 319 411-2 covers the issuance, maintenance, and life-cycle management of EU qualified certificates for electronic signatures, electronic seals, and website authentication. Operational readiness means proving that each issued certificate follows the selected qualified policy, inherited EN 319 411-1 controls, eIDAS-qualified context, and certificate-status obligations without treating standard conformance alone as qualified status. ## Set the operational boundary before issuing certificates Start each qualified certificate operation with the service boundary: issuing TSP, CA or RA roles, certificate population, subject type, policy identifier, CP, CPS, subscriber terms, repository location, and relying-party notice. EN 319 411-2 incorporates EN 319 411-1 general certificate requirements, so the operating file should show both the general control baseline and the qualified-certificate additions. The boundary should also separate qualified-service recognition from standards implementation. EN 319 411-2 states that conformance to the standard alone does not make the TSP or its certificates qualified under Regulation (EU) No 910/2014, so keep trusted-list, supervisory, or assessment evidence with the operating record when a qualified-status claim is made. - Name the qualified certificate policy in use: QCP-n, QCP-l, QCP-n-qscd, QCP-l-qscd, QEVCP-w, QNCP-w, or QNCP-w-gen. - Record whether the certificate service is for natural persons, legal persons, qualified electronic signatures, qualified electronic seals, or website authentication. - Map the selected policy to the CP, CPS, subscriber agreement, certificate profile, and repository material that relying parties can use. - Keep EN 319 411-1 inherited controls visible instead of treating EN 319 411-2 as a standalone operating manual. Sources for this answer: - [ETSI EN 319 411-2 V2.6.1 qualified certificate requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941102/02.06.01_60/en_31941102v020601p.pdf?ref=sorena.io) - Supports the operating scope for EU qualified certificate issuance, maintenance, life-cycle management, policy identifiers, and the warning that standard conformance alone is not qualified status. - [ETSI EN 319 411-1 V1.5.1 general certificate requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Provides the general certificate policy, CPS, repository, CA, RA, subscriber, revocation, and certificate life-cycle requirements incorporated by EN 319 411-2. ## Operate identity validation and application processing by profile Qualified certificate operations begin before certificate generation. EN 319 411-2 requires natural-person identity and any certificate attributes to be verified by physical presence or an equivalent-assurance method that the TSP can prove. For legal-person certificates, the identity of the legal person and any attributes are verified through the physical presence of an authorized representative or an equivalent-assurance method. For qualified website authentication certificates, the identity route depends on whether the subscriber is a natural person or legal person, and the operation must also validate the subscriber's link with the domain name to be certified. Keep this validation evidence with the certificate application, processing, issuance, renewal, re-key, and modification records because later lifecycle actions can depend on what was originally validated. - For QCP-n and QCP-n-qscd, keep evidence for the natural person's identity and any specific attributes placed in the certificate. - For QCP-l and QCP-l-qscd, keep evidence for the legal person, the authorized representative route, and any specific attributes placed in the certificate. - For QEVCP-w, QNCP-w, and QNCP-w-gen, keep evidence linking the natural-person or legal-person subscriber to the certified domain name. - When remote or delegated validation is used, preserve the documented equivalence basis and the controls used to reduce impersonation risk. Sources for this answer: - [ETSI EN 319 411-2 V2.6.1 identity validation requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941102/02.06.01_60/en_31941102v020601p.pdf?ref=sorena.io) - Grounds the natural-person, legal-person, authorized-representative, equivalent-assurance, and domain-link validation requirements for qualified certificate operations. - [Regulation (EU) No 910/2014 (eIDAS)](https://eur-lex.europa.eu/eli/reg/2014/910/oj/eng?ref=sorena.io) - Provides the EU qualified certificate and qualified trust service context referenced by EN 319 411-2 for identity and trust-service operations. ## Control issuance, acceptance, and certificate profile content The issuance operation should prove that the certificate policy identifier in the certificate matches the policy actually applied. EN 319 411-2 lists ETSI policy identifiers for each qualified policy and allows a TSP-allocated OID only when the referenced certificate policy clearly identifies which EN 319 411-2 policy it uses as its basis. Certificate acceptance and profile checks should be part of the same release gate. If the subscriber agreement is electronic, EN 319 411-2 says it should be signed with an advanced electronic signature or seal. Certificates should include the appropriate qcStatements, and only QCP-n-qscd or QCP-l-qscd certificates should include the QSCD qcStatement. - Check that each issued certificate includes the ETSI policy identifier, a documented TSP-allocated OID, or both for the policy applied. - Verify that CP and CPS text explain the certificate purpose, subject class, policy identifier, and whether QSCD use is required. - Keep the subscriber agreement and acceptance evidence with the certificate issuance record. - Include QSCD qcStatement evidence only for QCP-n-qscd and QCP-l-qscd certificates, and confirm it is absent from non-QSCD qualified certificates. Sources for this answer: - [ETSI EN 319 411-2 V2.6.1 certificate policy identifiers](https://www.etsi.org/deliver/etsi_en/319400_319499/31941102/02.06.01_60/en_31941102v020601p.pdf?ref=sorena.io) - Supports the operational checks for policy identifiers, TSP-allocated OIDs, subscriber agreement handling, qcStatements, and QSCD qcStatement restrictions. - [ETSI EN 319 411-1 V1.5.1 CP and CPS foundation](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Supports the distinction between Certificate Policy, Certification Practice Statement, subscriber terms, and disclosure material used in certificate operations. ## Run QSCD, key-use, and subject-control checks For QCP-n-qscd and QCP-l-qscd, operational evidence must show more than a policy name. EN 319 411-2 requires the TSP to verify that the device is certified as a QSCD and that the certificate request process ensures the public key to be certified comes from a key pair generated by a QSCD. Where the TSP manages the QSCD for the subject, the private key must not be used for signing except within a QSCD. Natural-person signature keys are tied to the subject's sole control, while legal-person seal keys are tied to the subject's control. The CPS should also document measures for a QSCD status change before certificate expiry. - Keep QSCD certification evidence for every QCP-n-qscd and QCP-l-qscd issuance path. - Record how certificate requests prove the certified public key came from a QSCD-generated key pair. - For TSP-managed QSCDs, document controls that restrict private-key use to the QSCD and preserve sole control or control as applicable. - Monitor QSCD certification status through the certificate validity period and document the CPS measures used if status changes. Sources for this answer: - [ETSI EN 319 411-2 V2.6.1 QSCD operating requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941102/02.06.01_60/en_31941102v020601p.pdf?ref=sorena.io) - Supports QSCD certification, QSCD-generated key-pair checks, private-key use restrictions, subject control, and CPS measures for QSCD status changes. *Recommended next step* *Placement: after practical guidance* ## Operationalize qualified certificate operations Use this EN 319 411-2 operations guide to assign CP/CPS mapping, identity validation, QSCD, certificate status, and trusted-list evidence before an assessment or customer review. - [Open Assessment Autopilot for ETSI EN 319 411-2](/solutions/assessment.md): Convert qualified certificate operations into accountable tasks, evidence requests, and review milestones. - [Research ETSI EN 319 411-2 source questions](/solutions/research-copilot.md): Resolve policy identifier, identity validation, QSCD, certificate status, and trusted-list questions against cited ETSI source material. - [Talk through qualified certificate operations](/contact.md): Review EN 319 411-2 operating scope, evidence gaps, owners, and the next implementation actions with Sorena. ## Maintain revocation, status, and relying-party evidence Qualified certificate operations need certificate status evidence that remains useful after the certificate validity period. EN 319 411-2 requires revocation status information to be available beyond certificate validity using at least one method used during validity, such as CRL or OCSP, unless the validity-assured short-certificate exception applies. The CPS and terms should state how status information is made available, including the availability period, CA key compromise handling, and TSP termination handling. Relying-party notices should also explain that the trust anchor for validating the certificate as an EU qualified certificate is the service digital identifier in the appropriate EU trusted-list entry for the qualified TSP. - For CRL operations, document whether expired revoked certificates remain on the CRL and whether the ExpiredCertsOnCRL extension is used when required. - For OCSP operations, document the archive-cutoff or final-response approach used for status information beyond certificate validity. - Keep revocation request authentication, revocation action logs, and status-service publication records tied to the affected certificate population. - Keep relying-party notice text, trusted-list service digital identifier evidence, and the date and scope of the trusted-list check. Sources for this answer: - [ETSI EN 319 411-2 V2.6.1 certificate status services](https://www.etsi.org/deliver/etsi_en/319400_319499/31941102/02.06.01_60/en_31941102v020601p.pdf?ref=sorena.io) - Supports the operational requirements for revocation status beyond certificate validity, CRL and OCSP evidence, CPS status-service disclosure, and relying-party trusted-list notices. - [ETSI EN 319 411-1 V1.5.1 revocation and status requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Supports the inherited revocation management, certificate status service, repository, and relying-party status-checking controls referenced by EN 319 411-2. ## Primary sources - [ETSI EN 319 411-2 V2.6.1 qualified certificate requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941102/02.06.01_60/en_31941102v020601p.pdf?ref=sorena.io) - Primary ETSI source for EU qualified certificate operations: scope, policy identifiers, identity validation, issuance, QSCD controls, certificate status services, and relying-party trusted-list notices. - Quote: "Requirements for trust service providers issuing EU qualified certificates" - [ETSI EN 319 411-1 V1.5.1 general certificate requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Primary ETSI source for the general certificate policy, CPS, repository, CA, RA, subscriber, revocation, and certificate life-cycle controls incorporated by EN 319 411-2. - Quote: "Policy and security requirements for Trust Service Providers issuing certificates" - [Regulation (EU) No 910/2014 (eIDAS)](https://eur-lex.europa.eu/eli/reg/2014/910/oj/eng?ref=sorena.io) - EU legal framework referenced by EN 319 411-2 for qualified certificates, qualified trust service providers, electronic signatures, electronic seals, and website authentication. - Quote: "electronic identification and trust services" ## Related Topic Guides - [eIDAS QTSP supervision workflow for ETSI EN 319 411-2](/artifacts/global/etsi-en-319-411-2/eidas-qtsp-supervision-workflow.md): Operational workflow for qualified trust service providers using ETSI EN 319 411-2 to manage supervisory-body changes, incidents, termination evidence, trusted-list checks, and assessment records. - [EN 319 411-2 vs EN 319 411-1 Qualified Certs](/artifacts/global/etsi-en-319-411-2/en-319-411-2-vs-en-319-411-1.md): Compare ETSI EN 319 411-2 qualified certificate requirements with EN 319 411-1 general certificate-service requirements, including QCP profiles, QSCD evidence, CP/CPS reuse, and audit boundaries. - [ETSI EN 319 411-2 compliance checklist](/artifacts/global/etsi-en-319-411-2/compliance.md): Compliance checklist for ETSI EN 319 411-2 qualified certificate services, covering policy selection, CP/CPS evidence, identity validation, QSCD status, trusted-list reliance, and certificate status services. - [ETSI EN 319 411-2 FAQ for EU Qualified Certificates](/artifacts/global/etsi-en-319-411-2/faq.md): Answers to common ETSI EN 319 411-2 questions about EU qualified certificate policies, QSCD use, identity validation, trusted lists, and revocation status services. - [ETSI EN 319 411-2 Identity Proofing](/artifacts/global/etsi-en-319-411-2/identity-proofing.md): How EN 319 411-2 applies identity validation for EU qualified certificates, including QCP natural-person, legal-person, website, and evidence-record checks. - [ETSI EN 319 411-2 QSCD Route](/artifacts/global/etsi-en-319-411-2/qscd-route.md): When QCP-n-qscd or QCP-l-qscd is the right EN 319 411-2 route, what QSCD evidence is needed, and which certificate-profile claims must stay aligned. - [ETSI EN 319 411-2 QTSP supervision evidence workflow](/artifacts/global/etsi-en-319-411-2/qtsp-supervision-evidence-workflow.md): Build an assessment-ready QTSP supervision evidence pack for ETSI EN 319 411-2 qualified certificate services, covering policy identifiers, trusted-list checks, incident records, QSCD evidence, and termination controls. - [ETSI EN 319 411-2 Qualified Certificate Scope](/artifacts/global/etsi-en-319-411-2/qualified-certificate-scope.md): Use ETSI EN 319 411-2 to scope EU qualified certificate services by certificate policy, subject type, QSCD use, website authentication profile, and eIDAS context. - [ETSI EN 319 411-2 requirements map](/artifacts/global/etsi-en-319-411-2/requirements.md): Map ETSI EN 319 411-2 requirements for EU qualified certificate services across QCP profiles, CP/CPS documentation, QSCD use, certificate profiles, revocation, and eIDAS Annex A references. - [ETSI EN 319 411-2 trusted-list evidence](/artifacts/global/etsi-en-319-411-2/trusted-list-evidence.md): Build EN 319 411-2 trusted-list evidence for EU qualified certificate reliance: relying-party notice text, QTSP service identifiers, validation records, and change triggers. - [ETSI EN 319 411-2 trusted-list validation workflow](/artifacts/global/etsi-en-319-411-2/trusted-list-validation-workflow.md): Validate an EN 319 411-2 EU qualified-certificate claim by mapping the certificate service to the QTSP trusted-list entry, policy profile, relying-party notice, and status evidence. - [ETSI EN 319 411-2 vs eIDAS Qualified Trust Services](/artifacts/global/etsi-en-319-411-2/en-319-411-2-vs-eidas-qualified-trust-services.md): Compare ETSI EN 319 411-2 certificate policy requirements with the eIDAS qualified-status, supervision, audit, and trusted-list framework. - [ETSI EN 319 411-2: Certificate Revocation FAQ](/artifacts/global/etsi-en-319-411-2/faq/revocation.md): Answer the ETSI EN 319 411-2 revocation question for qualified certificate services: CPS procedures, 24-hour publication, CRL or OCSP status, and evidence to retain. - [ETSI EN 319 411-2: end-to-end qualified certificate lifecycle management workflow](/artifacts/global/etsi-en-319-411-2/qualified-certificate-lifecycle-workflow.md): Lifecycle workflow for ETSI EN 319 411-2 qualified certificate services, from policy selection and identity validation through issuance, renewal, re-key, modification, revocation, status services, and records. - [ETSI EN 319 411-2: Legal vs Natural Person Certs](/artifacts/global/etsi-en-319-411-2/faq/legal-and-natural-persons.md): ETSI EN 319 411-2 separates qualified certificate policies for natural persons, legal persons, QSCD use, and website authentication subscribers. - [ETSI EN 319 411-2: QCP, QNCP, and QEVCP Profile Selection](/artifacts/global/etsi-en-319-411-2/qcp-qncp-and-qevcp-profile-selection.md): Choose the right ETSI EN 319 411-2 qualified certificate policy profile: QCP-n, QCP-l, QCP-n-qscd, QCP-l-qscd, QEVCP-w, QNCP-w, or QNCP-w-gen. - [ETSI EN 319 411-2: workflow for selecting QCP-n, QCP-l, or QCP-w certificate profile](/artifacts/global/etsi-en-319-411-2/qualified-profile-selector-workflow.md): Select the right ETSI EN 319 411-2 qualified certificate policy profile for signatures, seals, QSCD use, and website authentication. - [How should QTSPs select an ETSI EN 319 411-2 qualified certificate profile?](/artifacts/global/etsi-en-319-411-2/faq/qualified-profile-selection.md): A focused FAQ on choosing QCP-n, QCP-l, QCP-n-qscd, QCP-l-qscd, QEVCP-w, QNCP-w, or QNCP-w-gen under ETSI EN 319 411-2. - [How should relying parties use trusted lists under ETSI EN 319 411-2?](/artifacts/global/etsi-en-319-411-2/faq/trusted-lists.md): FAQ on EN 319 411-2 trusted-list reliance for EU qualified certificates: relying-party notices, QTSP service identifiers, validation evidence, and source references. - [QSCD Requirements in ETSI EN 319 411-2](/artifacts/global/etsi-en-319-411-2/faq/qscd.md): How ETSI EN 319 411-2 treats QSCD-backed qualified certificates, including QCP-n-qscd and QCP-l-qscd policies, key-use controls, QSCD verification, and certificate profile evidence. - [QTSP Supervision and ETSI EN 319 411-2](/artifacts/global/etsi-en-319-411-2/faq/qtsp-supervision.md): How ETSI EN 319 411-2 supports QTSP supervision evidence for qualified certificate services, trusted-list reliance, liability responsibility, incident records, and audit preparation. - [Qualified certificates under ETSI EN 319 411-2](/artifacts/global/etsi-en-319-411-2/faq/qualified-certificates.md): FAQ answer for QTSPs on how ETSI EN 319 411-2 treats EU qualified certificates, policy identifiers, QSCD variants, website certificates, and lifecycle evidence. - [What are the qualified certificate policies in ETSI EN 319 411-2?](/artifacts/global/etsi-en-319-411-2/faq/qualified-certificate-policies.md): FAQ on ETSI EN 319 411-2 qualified certificate policies, including QCP-n, QCP-l, QSCD variants, QEVCP-w, QNCP-w, and policy identifiers. - [Which QWAC Profile Fits ETSI EN 319 411-2?](/artifacts/global/etsi-en-319-411-2/faq/website-authentication-certificates.md): Choose between QEVCP-w, QNCP-w, and QNCP-w-gen for qualified website authentication certificates under ETSI EN 319 411-2. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/global/etsi-en-319-411-2/qualified-certificate-operations