Annex B update

<br />

# 1 Scope

*Editor's note: This section's is stable.*

The present document specifies requirements and assessment criteria covering all elements defined in CRA Annex I Part 1 and Part 2 for Public key infrastructure (PKI) and digital certificate issuance software.

It covers main PKI able to support the management of public keys able to support authentication, encryption, integrity or Traceability services including public/open, private, C-ITS and machine-to-machine PKIs.

# 2 References

*Editor's note: This section's structure is stable. More references are to be added.*

## 2.1 Normative references

- <span id="_ref_6"></span><a name="_ref_6">[6]</a> "ETSI EN 319 411-1 V1.5.1" "(2025-04)": "Electronic Signatures and Infrastructures (ESI); Policy and security requirements for Trust Service Providers issuing certificates; Part 1: General requirements"

- <span id="_ref_7"></span><a name="_ref_7">[7]</a> "ETSI TS 103 525-2 V2.1.1" "(2024-09)": "Intelligent Transport Systems (ITS); Testing; Conformance test specifications for ITS PKI management; Part 2: Test Suite Structure and Test Purposes (TSS & TP); Release 2"

- <span id="_ref_8"></span><a name="_ref_8">[8]</a> "ETSI TR 119 411-4 V1.2.1" "(2024-06)": "Electronic Signatures and Infrastructures (ESI); Policy and security requirements for Trust Service Providers issuing certificates; Part 4: Checklist supporting audit of TSP against ETSI EN 319 411-1 or ETSI EN 319 411-2"

## 2.2 Informative references

References are either specific (identified by date of publication and/or edition number or version number) or nonspecific. For specific references, only the cited version applies. For non-specific references, the latest version of the referenced document (including any amendments) applies.

- <span id="_ref_i.2"></span><a name="_ref_i.2">[i.2]</a> Regulation (EU) 2024/2847 of the European Parliament and of the Council of 23 October 2024 on horizontal cybersecurity requirements for products with digital elements and amending Regulations (EU) No 168/2013 and (EU) 2019/1020 and Directive (EU) 2020/1828 (Cyber Resilience Act)\"

- <span id="_ref_i.3"></span><a name="_ref_i.3">[i.3]</a> "RFC 6960" "(2013-06)": "X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP"

- <span id="_ref_i.4"></span><a name="_ref_i.4">[i.4]</a> "ETSI TS 103 525-2 V2.1.1" "(2024-09)": "Intelligent Transport Systems (ITS); Testing; Conformance test specifications for ITS PKI management; Part 2: Test Suite Structure and Test Purposes (TSS & TP); Release 2"

- <span id="_ref_i.5"></span><a name="_ref_i.5">[i.5]</a> "ETSI TR 119 411-4 V1.2.1" "(2024-06)": "Electronic Signatures and Infrastructures (ESI); Policy and security requirements for Trust Service Providers issuing certificates; Part 4: Checklist supporting audit of TSP against ETSI EN 319 411-1 or ETSI EN 319 411-2"

# 3 Definition of terms, symbols and abbreviations

*Editor's note: This section's structure is stable. Its content is to be further refined.*

## 3.1 Terms

## 4.1 Intended purpose of use

*Editor's note: This section's is stable.*

The present clause describes product contexts for products with digital elements used as part of a public key infrastructure (PKI) that manage the validation, creation, issuance, distribution, status publication, renewal or revocation of digital certificates, or the generation, storage, escrow, exchange, destruction or rotation of cryptographic keys associated with such digital certificates.  

### 4.2 Main functionalities

*Editor's note: This section's structur is stable. The content is not stable.*

Products with digital elements used as part of a public key cryptography scheme to manage asymmetric cryptographic keys and digital certificates, including their creation, issuance, distribution, validation, renewal, storage or revocation. This category includes but is not limited to key management systems, digital certificate management systems and online certificate status protocol responders

PKI products support one or more of the following component services (see ETSI EN 319 411-1):

PKI products support one or more of the following component services (see ETSI EN 319 411-1  [\[6\]](#_ref_6):

-	**F.Registration service:** registers and receives certificate requests from subscribers; verifies the identity and, if applicable, attributes of a subject; and passes verified certificate requests to the certificate generation service.

  - **System operator account:** authorised to operate the PKI services. 

## 4.3 Architecture

*Editor's note: This section's structur is stable. The content is not stable.*

Figure 4.1 gives a high-level overview of a generic and illustrative PKI architecture.

## 4.4 Operationnal Environment

*Editor's note: This section's structur is stable. The content is not stable.*

The enterprise should have a production system for issuing certificates and can be expected to have a separate test system for checking configuration changes and software updates before they are deployed. 

## 4.5 Distribution of security functions

*Editor's note: This section's is still to be done.*

## 4.6 Users

*Editor's note: This section's structur is stable. The content has not been reviewed.*

PKI products users' roles and responsibilities can be:

### 4.7.1 Private PKI for none critical entities

*Editor's note: This section's structur is stable. The content is not stable.*

#### 4.7.1.1 Assets

##### 4.7.1.1.1 System administration

</div>

## 4.7.2 Critical entities and public CA PKI software

*Editor's note: This section's structur is stable. The content is not stable.*

### 4.7.2.1 Use

##### 4.7.2.2.1 Services

The PKI product should support one or more of the following component services (see ETSI EN 319 411-1):

The PKI product should support one or more of the following component services (see ETSI EN 319 411-1  [\[6\]](#_ref_6)):

-	**Registration service:** as described in clause 4.2.2.1.

### 4.7.3 C-ITS PKI

*Editor's note: This section's structur is stable. The content is not stable.*

A Public Key Infrastructure (PKI) dedicated to Communicating Intelligent Transport Systems (C-ITS) is used to manage ITS related certificates  to enable deployment of security functions over the different components of ITS systems, mainly signature and encryption of ITS messages. The PKI is responsible for the issuance, revocation, and overall management of certificates and certificate status information.

The PKI architecture and its functionalities considered here are the one standardized by the ETSI in ETSI TS 102 940 and ETSI TS 102 941.

<br />

### 4.7.4 Machine to Machine PKI

*Editor's note: This section is to be done*

# 5  Requirements for PKI products

*Editor's note: This section's structur is note stable. The content is not stable.*

## 5.1 Auditing

## 5.3 Certificate issuance

- REFERENCE: REQ-5.3-01

  - REQUIREMENT: The certificates issued by the certificate generation service shall comply with the X.509 standard [ITU-T X.509] or with the IETF RFC 5280 standard or with the IEEE 1609.2 standard, and if known, to any extension or profile identified by the target systems' policy.

  - RATIONALE: This extends what is mandated by ETSI EN 319 411-1 and takes into account the C-ITS PKI use case.

  - REQUIREMENT: The certificates issued by the certificate generation service shall comply with the X.509 standard ITU-T X.509 [\[1\]](#_ref_1) or with the IETF RFC 5280 standard or with the IEEE 1609.2 standard, and if known, to any extension or profile identified by the target systems' policy.

  - RATIONALE: This extends what is mandated by ETSI EN 319 411-1  [\[6\]](#_ref_6) and takes into account the C-ITS PKI use case.

  - APPLICABILITY: All use cases where the PKI has a certificate generation service.

- REFERENCE: REQ-5.3-02

  - REQUIREMENT: The certificates issued by the certificate generation service shall be public-key certificates or attribute certificates whose format complies with the X.509 standard [ITU-T X.509].

  - REQUIREMENT: The certificates issued by the certificate generation service shall be public-key certificates or attribute certificates whose format complies with the X.509 standard ITU-T X.509 [\[1\]](#_ref_1).

  - RATIONALE: Public-key certificates shall use version 3 certificates since this standard requires the use of certificates extensions.

  - NOTE: At a minimum, the PKI shall ensure that:

- REFERENCE: REQ-5.4-01

  - REQUIREMENT: The certificate status service shall provide certificate revocation statuses as either or both of:

    a) CRLs as defined by and subject to the requirements of [ITU-T X.509]; or

    a) CRLs as defined by and subject to the requirements of ITU-T X.509 [\[1\]](#_ref_1); or

    b) OCSP responses to OCSP requests as defined by and subject to the requirements of [RFC 6960].

    b) OCSP responses to OCSP requests as defined by and subject to the requirements of RFC 6960 [\[i.3\]](#_ref_i.3).

  - RATIONALE: The PKI shall provide accurate and integrity protected certificates statues either using the standardised CRL format ensuring integrity of revocation list or protected OCSP services as defined by [RFC 6960]. This covers threats T_REV01 to T_REV03 and T_STA01 to T_STA02.

  - RATIONALE: The PKI shall provide accurate and integrity protected certificates statues either using the standardised CRL format ensuring integrity of revocation list or protected OCSP services as defined by RFC 6960 [\[i.3\]](#_ref_i.3). This covers threats T_REV01 to T_REV03 and T_STA01 to T_STA02.

  - APPLICABILITY: UC1, UC2 and UC3.

- REFERENCE: REQ-5.4-02

  - REQUIREMENT: The PKI shall require the Administrator to specify the set of acceptable values for the responderID field.

  - RATIONALE: The PKI shall provide accurate certificates statusas defined by the service provider chosen policies. This covers threats T_REV01 to T_REV03 and T_STA01 to T_STA02.

  - APPLICABILITY: Where the PKI has a certificate status service, issuing OCSP responses of the basic response type: UC1 and UC2.

  - NOTE: An OCSP responder is required to be capable to emit OCSP responses of the basic type by [RFC 6960].

  - NOTE: An OCSP responder is required to be capable to emit OCSP responses of the basic type by RFC 6960 [\[i.3\]](#_ref_i.3).

## 5.5 Certificate renewal

- REFERENCE: REQ-5.5-01

  - REQUIREMENT: Requirement GEN-6.3.6-10 contained in ETSI EN 319 411-1 shall apply.

  - REQUIREMENT: Requirement GEN-6.3.6-10 contained in ETSI EN 319 411-1  [\[6\]](#_ref_6) shall apply.

  - NOTE: The term "sufficient" in the requirement means that the security is to be evaluated according to the current state of the art.

## 5.6 Certificate re-key

## 5.8 Certificate suspension and revocation

- REFERENCE: REQ-5.8-01

  - REQUIREMENT: Once a certificate is revoked, it shall not be reinstated.

  - NOTE: Revocation is intended to be a definitive action, from which this requirement stems

  - NOTE: Revocation is intended to be a definitive action, from which this requirement stems.

- REFERENCE: REQ-5.8-02

  - REQUIREMENT: Requirements CSS-6.3.9-06, CSS-6.3.9-08, CSS-6.3.9-12 and CSS-6.3.9-13 contained in ETSI EN 319 411-1 (V1.5.1) shall apply.

  - REQUIREMENT: Requirements CSS-6.3.9-06, CSS-6.3.9-08, CSS-6.3.9-12 and CSS-6.3.9-13 contained in ETSI EN 319 411-1  [\[6\]](#_ref_6) shall apply.

## 5.9 Certificate status services

- REFERENCE: REQ-5.9-01

  - REQUIREMENT: Requirements CSS-6.3.10-03, CSS-6.3.10-04 and CSS-6.3.10-05 contained in ETSI EN 319 411-1 (V1.5.1) shall apply.

   - RATIONALE: The PKI shall provide accurate and integrity protected certificates statues either using the standardised CRL format ensuring integrity of revocation list or protected OCSP services as defined by [RFC 6960]. This covers threats T_REV01 to T_REV03 and T_STA01 to T_STA02.

  - REQUIREMENT: Requirements CSS-6.3.10-03, CSS-6.3.10-04 and CSS-6.3.10-05 contained in ETSI EN 319 411-1  [\[6\]](#_ref_6) shall apply.

   - RATIONALE: The PKI shall provide accurate and integrity protected certificates statues either using the standardised CRL format ensuring integrity of revocation list or protected OCSP services as defined by RFC 6960 [\[i.3\]](#_ref_i.3). This covers threats T_REV01 to T_REV03 and T_STA01 to T_STA02.

  - APPLICABILITY: UC1, UC2 and UC3.

- REFERENCE: REQ-5.9-02

  - REQUIREMENT: If a PKI supports multiple methods to provide revocation status, the information provided by all services shall be consistent over time taking into account different delays in updating the status information for all the methods.

   - RATIONALE: The PKI shall provide accurate and integrity protected certificates statues either using the standardised CRL format ensuring integrity of revocation list or protected OCSP services as defined by [RFC 6960]. This covers threats T_REV01 to T_REV03 and T_STA01 to T_STA02.

   - RATIONALE: The PKI shall provide accurate and integrity protected certificates statues either using the standardised CRL format ensuring integrity of revocation list or protected OCSP services as defined by RFC 6960 [\[i.3\]](#_ref_i.3). This covers threats T_REV01 to T_REV03 and T_STA01 to T_STA02.

  - APPLICABILITY: UC1, UC2 and UC3.

  - NOTE: This is aligned with requirement CSS-6.3.10-09 contained in ETSI EN 319 411-1 (V1.5.1)

  - NOTE: This is aligned with requirement CSS-6.3.10-09 contained in ETSI EN 319 411-1  [\[6\]](#_ref_6)

## 5.10 Access control

# 6 Conformity Assessment

*Editor's note: This section's structur is stable. The content is not stable.*

NOTE: If a requirement stated in the present document can be shown to have been assessed under any other relevant regulation (e.g. NIS2, eIDAS) then the evidence of that assessment may be provided together with the other CRA presumption of conformity evidences so no further assessment is required in that case.

- REFERENCE: ASS-REQ-6.4-01

  - OBJECTIVE: Verify the certificates issued by the certificate generation service are public-key certificates or attribute certificates whose format complies with the X.509 standard [ITU-T X.509].

  - OBJECTIVE: Verify the certificates issued by the certificate generation service are public-key certificates or attribute certificates whose format complies with the X.509 standard ITU-T X.509 [\[1\]](#_ref_1).

  - PREPARATION: 

    - Certificate request interface accessible.

- REFERENCE: ASS-REQ-6.4-02

  - OBJECTIVE: Verify the format of public-key certificates issued by the certificate generation service complies with the X.509 standard [ITU-T X.509].

  - OBJECTIVE: Verify the format of public-key certificates issued by the certificate generation service complies with ITU-T X.509 [\[1\]](#_ref_1).

  - PREPARATION: Document the circumstances in which the certificate generation service may issue a certificate. Ability to request a certificate issuance for the different identified circumstances.

- REFERENCE: ASS-REQ-6.5-01

  - OBJECTIVE: Verify the certificate revocation statuses to be either or both of CRLs as defined by and subject to the requirements of [ITU-T X.509], or OCSP responses as defined by and subject to the requirements of [RFC 6960].

  - OBJECTIVE: Verify the certificate revocation statuses to be either or both of CRLs as defined by and subject to the requirements of ITU-T X.509 [\[1\]](#_ref_1), or OCSP responses as defined by and subject to the requirements of RFC 6960 [\[i.3\]](#_ref_i.3).

- REFERENCE: ASS-REQ-6.5-02

    b) List of validated functionalities and data access rights for each user profile.

    c) Screenshots or logs of access attempts and rights verification.

#### 6.6 ETSI standard conformity assessment

All requirements in clause 5 including conformity requirement to ETSI 102 941 [\[5\]](#_ref_5) shall ensure conformity based on tests defined in [\[7\]](#_ref_7).

All requirements in clause 5 including conformity requirement to [\[6\]](#_ref_6) shall ensure conformity based on tests defined in [\[8\]](#_ref_8).

#### 6.7 ETSI standard conformity assessment

- REFERENCE: ASS-REQ-6.7-01

  - OBJECTIVE: Demonstrating conformity to other ETSI standard.

  - ACTIVITIES: 

    - All requirements in clause 5 including conformity requirement to ETSI 102 941 [\[5\]](#_ref_5) shall ensure conformity based on tests demonstrating equivalence to in ETSI TS 103 525-2 [\[i.4\]](#_ref_i.4).

    - All requirements in clause 5 including conformity requirement to ETSI EN 319 411-1 [\[6\]](#_ref_6) shall ensure conformity based on tests demonstrating equivalence to in ETSI TR 119 411-4 V1.2.1 [\[i.5\]](#_ref_i.5).

  - VERDICT & EVIDENCES: As defined or demonstrated equivalent to ETSI TS 103 525-2 [\[i.4\]](#_ref_i.4) and ETSI TR 119 411-4 V1.2.1 [\[i.5\]](#_ref_i.5)

# Annex A Mapping with essential requirements of the CRA

# Annex B Mappings

## B.1 Mapping of technical security requirements and assessment requirements

## B.2 Mapping of technical security requirements and risks factors

## B.3 Other relevant mappings, as appropriate

## B.1 Mapping of threats to technical security requirements and their associated assessment requirements

![Figure B.1-1: Mapping of threats to technical and assessement requirement part 1](media/RequirementCoverage_P1_2026-01-08.png)

**Figure B.1-1: Mapping of threats to technical and assessement requirement part 1**

![Figure B.1-2: Mapping of threats to technical and assessement requirement part 2](media/RequirementCoverage_P1_2026-01-08.png)

**Figure B.1-2: Mapping of threats to technical and assessement requirement part 2**

![Figure B.1-3: Mapping of threats to technical and assessement requirement part 3](media/RequirementCoverage_P1_2026-01-08.png)

**Figure B.1-3: Mapping of threats to technical and assessement requirement part 3**

![Figure B.1-4: Mapping of threats to technical and assessement requirement part 3](media/RequirementCoverage_P1_2026-01-08.png)

**Figure B.1-4: Mapping of threats to technical and assessement requirement part 4**

# Annex C Risk acceptance criteria and risk management methodology (informative) (PT1 6.3)

## C.1 Risk acceptance + risk management methodology