Approval Profile for a Root Certification Authority – tSd 0114


This document defines the tScheme criteria against which organisations must be successfully assessed in order to be eligible for a Grant of approval for the provision of Root Certification Authority services.


The criteria given in this Approval Profile are related to the overall provision and life-cycle management of certification services [[QC: issuing Qualified Certificates]]. Life-cycle management provides for Services supporting the registration and verification of key holders, initial creation and personalisation of encryption keys, tokens and certificates, the secure distribution of keys/tokens and publication of certificates, the maintenance of certificate currency and validity through re-certification and revocation processes.

Some of these functions could be offered as stand-alone Services so, to avoid repetition of the related criteria, they have been removed from this Approval Profile and placed in appropriate service-specific Approval Profiles. Nevertheless they are still part of the provision of a CA Service. The Services that together make up the full CA Service, whether operated directly by the organisation offering the CA Service or whether outsourced to various other third parties, are required to fulfil the criteria defined in the following further Approval Profiles:

  • Registration
  • {Signing Key Management}
  • Certificate Generation
  • Certificate Dissemination
  • Certificate Status Management
  • Certificate Status Validation

Some of these Services are regarded as being mandatory parts of a CA Service and the implied requirements of any text are mandatory, the other Services, referred to within ‘curly’ brackets, { …thus… }, are optional and the CA must make clear whether or not they are intending to be assessed against them.

The CA has responsibility for ensuring conformance with the procedures prescribed in the applicable Certificate Policy even when constituent part-Services are outsourced to third parties. This requires the inclusion in its Certificate Practice Statement (or PKI Disclosure Statement) of relevant practices undertaken by all parties contributing to the overall Service provision. The CA may demonstrate directly the conformance to the appropriate Approval Profiles of the constituent Services or they may refer to prior tScheme Approvals awarded to those Services, where they remain current. Note - where components of the services are outsourced to third parties the CA must bear full liability for the overall service offering. Under these circumstances it is under no obligation to make public how it outsources these functions, although it may choose to do so.

EU regulation 910/2014 on electronic identification and trust services for electronic transactions [eIDAS]

Where the CA is issuing Qualified Certificates, the provision of appropriate evidence must demonstrate explicitly compliance with the requirements of [eIDAS]. The S3A must address how the components of the service are inter-related and must apportion matters of ownership, management and operational responsibility for the functional components and how they are allocated to other departments of the business or outsourced to third parties. This information should supplement and make more service-specific the criteria required by the Base Approval Profile.

Issue 1.00

The full Profile is available as a PDF document free of charge for non-commercial use. To track access, you must register (free of charge) – this entitles you to access the restricted Approvals Profiles page. To register for access to the Profiles please click here. Already registered? Login, then access the files here.


Our members

We’re a member-led not-for-profit organisation.


Getting tScheme approval

Approval usually takes at least three months, but it can be quicker.


Schemes and Profiles

Providing guidelines and criteria for organisations to develop their trust services.