Use case - Regulated procurement

Check if a Common Criteria certificate is current, real, and matches the SKU you are buying.

Common Criteria certifications turn up in RFPs as a procurement requirement, but the official portals do not make verification easy. CCRA's commoncriteriaportal.org is a static list. EUCC certificates live on a different registry. SESIP, PSA Certified, EMVCo, ESA and MIFARE each have their own. NenkinTracker indexes all of them in one searchable database with a free public lookup tool, so you can answer "is this certificate real and current?" in seconds rather than tabs.

Look up a certificate → Start 30-day free trial

How to verify a Common Criteria certificate

  1. Open the free certificate lookup. Use the public certificate-lookup tool. It searches every CCRA national scheme, plus EUCC, SESIP, PSA Certified, EMVCo, MIFARE, and ESA - one query, one result list, no scheme-by-scheme tab juggling.
  2. Match the certificate to the SKU. Confirm the product name, version, and vendor on the certificate match the SKU on your quote exactly. Vendors sometimes ship a v1.2.4 of a product whose certificate was issued for v1.2.3 - the certificate may still be valid for the older version only.
  3. Read the status and dates honestly. A certificate's status (active, in maintenance, archived, withdrawn) and its issue/expiry/maintenance dates tell you what an auditor will accept. The wiki entry on what 'current' actually means under CC walks through the six combinations that matter.
  4. Set up monitoring for the shortlist. For the products you are actually buying, follow them in NenkinTracker so any future change - status flip, archived flag, new CVE on the TOE - lands in your inbox before your audit.

New to what "current" means in CC? The wiki entry on Common Criteria certificate validity walks through every status combination an auditor will look at and what each one actually allows the buyer to claim.

RFP clause: certificate validity and notification

A clause you can drop into supplier contracts. It binds the vendor to hold a current certificate for the supplied version and to notify the buyer of any change. Use, edit, and redistribute freely - no attribution required. 

The Supplier shall, at the time of contract award and throughout the term, hold a valid Common Criteria certificate (or equivalent EUCC, SESIP, or scheme-recognised certification) for the offered product at the version supplied, issued by a CCRA-recognised national scheme or by an EUCC-accredited Conformity Assessment Body. The Supplier shall notify the Buyer in writing within ten (10) business days of any change to certificate status (including but not limited to: entry into maintenance, archival, withdrawal, or expiry without renewal), publication of a new Maintenance Report, republication of the Security Target, or linkage of any CVE to the certified product.

For continuous monitoring of the suppliers covered by this clause, follow each product in NenkinTracker - any status flip, new Maintenance Report, or CVE linked to the TOE triggers a notification you can forward to the supplier under the notification clause above.

Free lookup, paid monitoring.

The certificate lookup is free and public - no account required. For continuous monitoring of the products on your shortlist, the User plan at 19.90 EUR/month covers up to 10 followed products with full notifications, and Professional at 49.90 EUR/month covers up to 50. The 30-day free trial includes every paid feature, no credit card required.

Start 30-day free trial Compare all plans →

Frequently asked questions

How do I verify that a Common Criteria certificate is current?
Use the free certificate lookup at nenkin.io/certificate-lookup. Search by product, vendor, or certificate ID and read off the status and dates. The result page links to the source document on the issuing scheme so you can confirm against the authoritative registry. For continuous verification - so a status flip after the quote is signed reaches you - follow the certificate in NenkinTracker.
What schemes does the certificate lookup cover?
Every CCRA national scheme (BSI, ANSSI, NIAP, CCCS, SERTIT, JISEC, KCMVP, OCSI, CCN), the EUCC scheme under the EU Cybersecurity Act, SESIP, PSA Certified, EMVCo, MIFARE, and ESA. Coverage is documented at nenkin.io/data.
Can NenkinTracker email me when a certificate I am about to buy gets archived?
Yes. Sign in, follow the product or the specific certificate, and any change to status or documents triggers an email and an in-app notification. The User plan at 19.90 EUR/month covers a focused shortlist (up to 10 followed products); the Professional plan at 49.90 EUR/month covers a broader portfolio. The 30-day free trial includes the same features.
Is NenkinTracker authoritative on certificate status?
NenkinTracker mirrors the public data published by each issuing scheme and refreshes daily. For legally authoritative confirmation, the issuing scheme's own registry (linked from every result) remains the source of truth. NenkinTracker's role is to make that data searchable, comparable across schemes, and pushable to your inbox when it changes.

Verify the certificate. Then keep verifying it.

Run the free lookup now. When you are ready to monitor your shortlist continuously, the trial is one click away.

Look up a certificate → Book 20 minutes with a founder