For Approval & Support :

8171444411

Asked & Questions



Class 2 & Class 3 Individual


Ans. Yes, The signature and encryption certificate should be separate for an individual. The encryption keys are to be generated at the subscriber's system and should be archived prior to transfer into crypto-medium. The signature keys should be generated in the crypto-medium and should not be copied.

Ans. No, Ideally, there should not be any requirement for different certificates, however the person holding lower assurance Class 2 certificate may require higher assurance Class 3 certificates for application which demand the same. The higher assurance Class 3 certificates can be used where ever application requires lower assurance certificate. Apart from assurance, depending on the information included in the DSC additional certificate may be required.


Class 2 & Class 3 Organization


Ans. Yes, The signature and encryption certificate should be separate for an individual. The encryption keys are to be generated at the subscriber's system and should be archived prior to transfer into crypto-medium. The signature keys should be generated in the crypto-medium and should not be copied.

Ans.Class 1 : The verification requirements are
(i) Aadhaar
(ii) paper based application form and supporting documents
(iii) Forward message notification + Video Verification. The Private Key generation and storage can be in software.

Class 2 : The verification requirements are
(i) Aadhaar
(ii) Paper based application form and supporting documents
(iii) Forward message notification + Video Verification . The Private Key generation and storage should be in Hardware.

Class 3 : The verification requirements are
(i) Aadhaar
(ii) Paper based application form and supporting documents and (physical personal appearance before CA or Video verification)
(iii) Forward message notification+ Video Verification . The Private Key generation and storage should be in Hard ware cryptographic device validated to FIPS 140-2 level 2

Ans. No. The same class and/or type of certificates issued by all CAs have the same level of assurance and trust.India PKI follows a Hierarchical PKI model where Root CA certifies CA and CA in turn certifies the subscriber. The India PKI Certificate Policy is applicable to the entire eco-system of CA certificate, subscriber's certificates and key storage medium. The method of verification prior to issuance of same assurance level certificate is as per the IVG. Similarly, the content format and storage medium for all certificates issued by all Licensed CAs are as per Interoperability Guidelines for DSC and X.509 Certificate Policy for India PKI. There is no difference in the certificates of same class and type issued by different CAs. The price of the certificate may however vary from CA to CA.

Ans. No. CAs can opt out of issuance of any class of certificates at their discretion. CAs are not allowed to issue any classes of certificates to other than that specified in the India PKI CP and specifically allowed by CCA


DSC Management


Ans. Yes. On moving from one department to another, if the procedure in place so demands then the existing Digital Signature Certificate will be revoked and a new one will be required to be issued.

Ans. After the issuance of DSC to subscriber by CA, any signature created using the device and verifiable through this DSC is deemed as subscriber's signature.

DSC for Organisational person


Ans. No. The Digital Signature Certificate should be revoked and keys should be destroyed by the subscriber.

Ans. The document signer certificate is issued for use with the software of an organisation for automated authenticated response. Document signer certificate is not a replacement for the signature of the authorised signatory of the organisation.

Ans.  Organisation has to see assurance levels of DSC as indicated by its class. If organization is not competent to decide the Class of the DSC required for their application, a Risk Analysis may be carried out through empanelled auditors of Cert-IN or CCA and a recommendation may be obtained.


Digital Signature


Ans. CAs will not have any information on the signatures applied by the subscribers after the issuance of DSC. The application owners or subscribers themselves can keep records of the signature affixed by them.

Ans. Signatures are to be verified with respect to signature affixing time. If the certificate is valid at the time of signature, the signature is deemed to be valid.

Ans. No. The Digital signature changes with content of the message.

Ans. It depends upon the how the subscriber has kept his private keys. If private key is not stored securely, then it can be misused to sign an electronic record without the knowledge of the owner of the private key.It depends upon the how the subscriber has kept his private keys. If private key is not stored securely, then it can be misused to sign an electronic record without the knowledge of the owner of the private key.

Ans.  Under the IT Act, 2000 Digital Signatures are at par with hand written signatures. Therefore, similar court proceedings will be followed. The requirements of recording of date and time can be addressed through Time Stamping.

Ans. RSA Signature Algorithms with SHA2 Hashing Algorithms ECDSA Signature Algorithms with SHA2 Hashing Algorithms and NIST Curve p-256. (For details ref Digital Signature 2019 and also Interoperability Guidelines for DSC.


Signature Verification


Ans. The procedure for verification of signature is specified in Digital Signature 2019 and also in Annexure IV Application Developer Guidelines of Interoperability Guidelines for DSC (CCA-IOG).

Ans. Yes. Signer's certificate and the complete issuer chain of certificates up to the Root certificate are required. The chain may either be part of Digital Signature or be made available to the verifier by the application service provider. Microsoft products carry Root Certificate of India. If not present locally in the verification system, it can be downloaded from http://cca.gov.in. In the case of application based verification, applications need to make available the Root Certificate to the verification component.

Ans.  The digital signature verification process for a document requires the signer's public key, issuer certificates and their CRLs. CA will make available the issuer certificates and CRLs till the expiry of DSCs. For the requirements of verification beyond expiry of DSCs, the application should therefore have a provision to locally store DSCs issuer certificate and their CRL's at the time when the document was digitally signed.To enable the verification of documents long time after the affixing of signature, it is recommended to use long term archival signature format for the signature

Certifying Authority


Ans. RA interacts with the DSC applicants for collection of documents and help them for submission of DSC application and in some cases for obtaining and using hardware Crypto device. CAs are responsible for verification and issuance of DSC to applicant. The responsibilities of an organisational RA are different from these of an RA which deals with individuals claiming no organisational affiliation.

Ans.  Prior to cessation of operations the CA has to follow procedures as laid down under the IT Act. The CA needs to revoke all the valid certificates prior to its closure. The subscriber has to get a new Digital Signature Certificate from other Licensed CA. Signature carried out by subscriber prior to the revocation of his certificate will remain valid. The signatures are validated with respect to validity of certificate at the time of affixing of signature.