Certificate Number: ETS 010
Scope: On the request of DigiCert Europe Netherlands B.V. in the Netherlands and DigiCert Europe Belgium BV in Belgium (hereafter referred to as: QuoVadis), the annual certification audit on all areas and processes was performed by BSI Group The Netherlands B.V. (John M. Keynesplein 9, 1066 EP Amsterdam, The Netherlands).
The full audit covered all applicable requirements from the audit criteria listed below (see “Audit Information”) and are defined in QuoVadis' Statement of Applicability, dated 14 June 2024 and the Overview of Applicability, version 1.25.
The scope of the assessment comprised the following Trust Service Provider component services:
-,,Registration Service;
-,,Certificate Generation Service;
-,,Dissemination Service;
-,,Revocation Management Service;
-,,Revocation Status Service;
-,,Subject Device Provision Service;
This includes operating a remote QSCD / SCDev, where electronic signature creation data is generated and managed on behalf of the signatory.
The TSP component services are performed, partly or completely by subcontractors under the final responsibility of QuoVadis.
These TSP component services are being provided for the following qualified trust service(s) as defined in Regulation (EU) 910/2014 (eIDAS):
-,,Issuance of qualified certificates for electronic signatures (qualified trust service), in accordance with the policies: QCP-n, QCP-n-qscd
-,,Issuance of qualified certificates for electronic seals (qualified trust service), in accordance with the policy: QCP-l, QCP-l-qscd
-,,Issuance of qualified certificates for website authentication (qualified trust service), in accordance with policies QEVCP-w, QCP-w-psd2;
The certificates are issued through the issuing certification authorities, as specified below:
Root CA: Staat der Nederlanden Private Root CA - G1 (not in scope)
Domain CA: Staat der Nederlanden Private Personen CA - G1 (not in scope)
-,,Issuing CA: QuoVadis PKIoverheid Private Personen CA - G1
Sha256 Fingerprint:
A5F7150BC358D1498BFDD8EB39732362DCB6A903F57451B930363BDFAF835BA4
+,,PKIOverheid Private Personal Non-Repudiation (OID 2.16.528.1.1003.1.2.8.2), in accordance with policy QCP-n-qscd
Root CA: Staat der Nederlanden Root CA - G3 (not in scope)
Domain CA: Staat der Nederlanden Organisatie Persoon CA - G3 (not in scope)
-,,Issuing CA: QuoVadis PKIoverheid Organisatie Persoon CA - G3
Sha256 Fingerprint:
15073C6BBDC74699A88518C27A57C956E5E23D6CA9619E521A468C7873DE4F8A
+,,PKIOverheid Personal Organisation Non-Repudiation G3 (OID 2.16.528.1.1003.1.2.5.2), in accordance with policy QCP-n-qscd
-,,Issuing CA: QuoVadis PKIoverheid Organisatie Persoon CA – 2022
Sha256 Fingerprint:
56521521E7EA27EAAE33F0095D5B871CDA3AF4A80A62E08594CBAD6EF2806307
+,,PKIOverheid Personal Organisation Non-Repudiation (OID 2.16.528.1.1003.1.2.5.2), in accordance with policy QCP-n-qscd
Domain CA: Staat der Nederlanden Burger CA - G3 (not in scope)
-,,Issuing CA: QuoVadis PKIoverheid Burger CA - 2021
Sha256 Fingerprint:
3AC3DB2C474FC34FE8011C5A01F622824C6F8B11076F56192AC701DAE3D70534
+,,PKIOverheid Personal Citizen Non-Repudiation (OID 2.16.528.1.1003.1.2.3.2), in accordance with policy QCP-n-qscd
Domain CA: Staat der Nederlanden Organisatie Services CA - G3 (not in scope)
-,,Issuing CA: QuoVadis PKIoverheid Organisatie Services CA - G3
Sha256 Fingerprint:
BECFDE124CEDD344D925CB55EDDA662D9A9C0688FA9A0870CE3DBB6DA4313E4E
+,,PKIOverheid Organisation Service Seal (OID 2.16.528.1.1003.1.2.5.7), in accordance with policy QCP-l-qscd
-,,Issuing CA: QuoVadis PKIoverheid Organisatie Services CA - 2022
Sha256 Fingerprint:
B0D9AFDA74163609E4EAB017EEE4CE0B235AEEF7D68C06F86E74C6387999B2B7
+,,PKIOverheid Organisation Service Seal (OID 2.16.528.1.1003.1.2.5.7), in accordance with policy QCP-l-qscd
Root CA: QuoVadis Root CA 1 G3
Intermediate CA: QuoVadis Enterprise Trust CA 1 G3
-,,Issuing CA: QuoVadis EU Issuing Certification Authority G4
Sha256 Fingerprint:
1D24222B5EEC71FE99BE9D700FA5FF72312DB3EB0FCB4A4F3BCC135DA36C1355
+,,eIDAS Qualified Natural Person (OID 0.4.0.194112.1.0), in accordance with policy QCP-n
+,,eIDAS Qualified Natural Person - QCSD (OID 0.4.0.194112.1.2), in accordance with policy QCP-n-qscd
+,,eIDAS Qualified Legal Person (OID 0.4.0.194112.1.1), in accordance with policy QCP-l
+,,eIDAS Qualified Legal Person - QCSD (OID 0.4.0.194112.1.3), in accordance with policy QCP-l-qscd
+,,eIDAS Qualified: PSD2 Legal Person - QCSD (OID 0.4.0.194112.1.3), in accordance with policy QCP-l-qscd
+,,eIDAS Qualified: PSD2 Legal Person - QCSD (OID 0.4.0.194112.1.1), in accordance with policy QCP-l
-,,Issuing CA: QuoVadis EU Issuing Certification Authority G6
Sha256 Fingerprint:
19B74B7E41CA73465832838A14EB432C4826F1B15DEF42B90AAE9F8FAB8B79B3
+,,eIDAS Qualified Natural Person (OID 0.4.0.194112.1.0), in accordance with policy QCP-n
+,,eIDAS Qualified Natural Person - QCSD (OID 0.4.0.194112.1.2), in accordance with policy QCP-n-qscd
+,,eIDAS Qualified Legal Person (OID 0.4.0.194112.1.1), in accordance with policy QCP-l
+,,eIDAS Qualified Legal Person - QCSD (OID 0.4.0.194112.1.3), in accordance with policy QCP-l-qscd
+,,eIDAS Qualified: PSD2 Legal Person - QCSD (OID 0.4.0.194112.1.3), in accordance with policy QCP-l-qscd
+,,eIDAS Qualified: PSD2 Legal Person - QCSD (OID 0.4.0.194112.1.1), in accordance with policy QCP-l
-,,Issuing CA: QuoVadis Belgium Issuing CA G2
Sha256 Fingerprint:
AA0E83B4AE0036679703D1603BC7E63A080464A033AE4B9F465838ADC85C61ED
+,,eIDAS Qualified Natural Person (OID 0.4.0.194112.1.0), in accordance with policy QCP-n
+,,eIDAS Qualified Natural Person - QCSD (OID 0.4.0.194112.1.2), in accordance with policy QCP-n-qscd
+,,eIDAS Qualified Legal Person (OID 0.4.0.194112.1.1), in accordance with policy QCP-l
+,,eIDAS Qualified Legal Person - QCSD (OID 0.4.0.194112.1.3), in accordance with policy QCP-l-qscd
-,,Issuing CA: QuoVadis Belgium Issuing CA G4
Sha256 Fingerprint:
3516BDAB7F57115A7AEB2EBF9C521EF00F04AD891501979BE1EFBF4493409669
+,,eIDAS Qualified Natural Person (OID 0.4.0.194112.1.0), in accordance with policy QCP-n
+,,eIDAS Qualified Natural Person - QCSD (OID 0.4.0.194112.1.2), in accordance with policy QCP-n-qscd
+,,eIDAS Qualified Legal Person (OID 0.4.0.194112.1.1), in accordance with policy QCP-l
+,,eIDAS Qualified Legal Person - QCSD (OID 0.4.0.194112.1.3), in accordance with policy QCP-l-qscd
Root CA: QuoVadis Root CA 2 G3
-,,Issuing CA: QuoVadis Qualified Web ICA G2
Sha256 Fingerprint:
7FEB9374EAB08D392717C647436DAE06176A24C010607FDA1CCE5E5F0106B472
+,,Qualified certificate for website authentication (OID 0.4.0.194112.1.4), in accordance with policy QEVCP-w
+,,PSD2 Qualified certificate for website authentication (OID 0.4.0.194112.1.4), in accordance with policy QCP-w (QEVCP-w) and QCP-w-psd2 (OID 0.4.0.19495.3.1)
The TSP component services are documented in the following Certification Practice Statements:
-,,DigiCert Europe/QuoVadis - Certification Policy/Certification Practice Statement, v5.2, 1 March 2024
-,,DigiCert Europe/QuoVadis - PKI Disclosure Statement, v2.0, 22 November, 2023
-,,Certification Practice Statement for PKIoverheid Certificates, v.1.17, 1 March 2024
-,,PKI Disclosure Statement for PKIoverheid, v1.13, 22 June 2023
For the component service: Registration Service (Remote Identity Proofing), we confirm, based on the objective evidence collected during the audit, that as of 17 December 2021, the following identification method(s) provide equivalent assurance in terms of reliability to physical presence, pursuant to Regulation (EU) 910/2014 (eIDAS) art. 24.1 sub d, for the trust services (and Identity Proofing Context) covered by this Certificate of Conformity:
-,,For Issuing CAs Belgium (C=BE): the identification method: “DigiCert Remote ID Validation level RIV2, supporting the ETSI TS 119461 Use Case for Unattended remote identity proofing (9.2.3): "Hybrid manual and automated operation" (9.2.3.3)"; and
-,,For Issuing CAs Belgium (C=BE) and The Netherlands (C=NL): “DigiCert Remote ID Validation levels RIV4, supporting the ETSI TS 119461 Use Case for Unattended remote identity proofing (9.2.3): "Hybrid manual and automated operation" (9.2.3.3)"
Our annual certification audit was performed in March, May, June 2024. The result of the full audit is that we conclude, based on the objective evidence collected during the certification audit from 1 June 2023 through 31 May 2024, the areas assessed during the audit were generally found to be effective, based on the applicable requirements defined in QuoVadis' Statement of Applicability, dated 14 June 2024 and the Overview of Applicability, version 1.25.
Statement on the issuance of S/MIME certificates:
Issuing CAs in scope of certification are technically capable of issuing S/MIME certificates. On the request of DigiCert, we performed audit procedures to confirm that ETSI TS 119 411-6 V1.1.1 (2023-08) is not applicable. This is because from the CAs in scope of certification:
-,,We have not observed that S/MIME certificates have been issued in the audit period
-,,Controls are in place to prevent the issuance of S/MIME certificates.
Audit information:
Audit criteria:
-,,ETSI EN 319 401 v2.3.1 (2021-05) General Policy Requirements for Trust Service Providers
-,,ETSI EN 319 411-1 v1.3.1 (2021-05) Electronic Signatures and Infrastructures (ESI) - Policy and security requirements for Trust Service Providers issuing certificates - Part 1: General requirements, for the policies: NCP, NCP+, OVCP, PTC, EVCP;
-,,ETSI EN 319 411-2 v2.4.1 (2021-11) Electronic Signatures and Infrastructures (ESI) - Policy and security requirements for Trust Service Providers issuing certificates; - Part 2: Requirements for trust service providers issuing EU qualified certificates, for the policies: QCP-n-qscd, QCP-l-qscd, QCP-n, QCP-l, QEVCP-w;
-,,ETSI TR 119 461 v1.1.1 (2021-07): Electronic Signatures and Infrastructures (ESI); Policy and security requirements for trust service components providing identity proofing of trust service subjects, for the LoIP use cases:
-,,For Issuing CAs Belgium (C=BE): the identification method: “DigiCert Remote ID Validation level RIV2, supporting the ETSI TS 119461 Use Case for Unattended remote identity proofing (9.2.3): "Hybrid manual and automated operation" (9.2.3.3)"; and
-,,For Issuing CAs Belgium (C=BE) and The Netherlands (C=NL): “DigiCert Remote ID Validation levels RIV4, supporting the ETSI TS 119461 Use Case for Unattended remote identity proofing (9.2.3): "Hybrid manual and automated operation" (9.2.3.3)"
-,,ETSI TS 119 495 V1.6.1 (2022-11): Electronic Signatures and Infrastructures (ESI); Sector Specific Requirements; Qualified Certificate Profiles and TSP Policy Requirements under the payment services Directive (EU) 2015/2366, for the policies QCP-l, QCP-l-qscd, QEVCP-w / QEVCP-w-psd2;
-,,CA/Browser Forum – Baseline Requirements Certificate Policy for the Issuance and Management of Publicly-Trusted Certificates v2.0.2. (8 January 2024);
-,,CA/Browser Forum – Guidelines for the Issuance and Management of Extended Validation Certificates v1.8.1 (4 March 2024);
-,,CA/Browser Forum - Network and Certificate System Security Requirements v1.7 (5 April 2021);
-,,Regulation (EU) N 910/2014 of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC, Chapter III – Trust Services.
-,,PKIoverheid – Programme of Requirements 4.12:
-,,G3 Legacy Organization Person certificates (previously 3a)
-,,G3 Legacy Organization Services certificates (previously 3b)
-,,G3 Legacy Citizen certificates (previously 3c)
-,,Private Organization Services certificates (previously 3g)
-,,Private Server certificates (previously 3h)
-,,Private Private Person certificates (previously 3i)
Audit Period of Time:
1 June 2023 - 31 May 2024
Audit performed:
March, May, June 2024
Information and Contact:
BSI Group The Netherlands B.V., John M. Keynesplein 9, 1066 EP Amsterdam, NL
