About PKI

Certifying Authorities and Certificates in India

The Public Key Infrastructure of India comprises the Controller of Certifying Authorities (CCA) and the Certifying Authorities (CAs), with CCA being at the root of the trust chain in India. CCA certifies the CA Public Keys and issues certificate.

The Controller of Certifying Authorities (CCA), appointed by the Central Government, has established the Root Certifying Authority (RCAI) of India under section 18(b) of the Information Technology Act to digitally sign the public keys of Certifying Authorities (CA) in the country. The Certifying Authorities (CAs) issue digital signature certificates for electronic authentication of users.

The CCA certifies the public keys of CAs using its own private key, which enables users in the cyberspace to verify that a given certificate is issued by a licensed CA. For this purpose it operates, the Root Certifying Authority of India (RCAI). The CCA also maintains the Repository of Digital Certificates, which contains all the certificates issued to the CAs in the country.

For public-key cryptography to be valuable, users must be assured that the other parties with whom they communicate are "safe"—that is, their identities and keys are valid and trustworthy. To provide this assurance, all users of a PKI must have a registered identity. These identities are stored in a digital format known as a public key certificate. Certification Authorities (CAs) represent the people, processes, and tools to create digital certificates that securely bind the names of users to their public keys. In creating certificates, CAs act as agents of trust in a PKI. As long as users trust a CA and its business policies for issuing and managing certificates, they can trust certificates issued by the CA. This is known as third-party trust. CAs create certificates for users by digitally signing a set of data that includes the following information:

  • the user's name in the format of a distinguished name (DN). The DN specifies the user's name and any additional attributes required to uniquely identify the user (for example, the DN could contain the user's employee number).
  • a public key of the user. The public key is required so that others can encrypt for the user or verify the user's digital signature.
  • the validity period (or lifetime) of the certificate (a start date and an end date).
  • the specific operations for which the public key is to be used (whether for encrypting data, verifying digital signatures, or both).

The CA's signature on a certificate allows any tampering with the contents of the certificate to be easily detected. (The CA's signature on a certificate is like a tamper-detection seal on a bottle of pills—any tampering with the contents of a certificate is easily detected) As long as the CA's signature on a certificate can be verified, the certificate has integrity. Since the integrity of a certificate can be determined by verifying the CA's signature, certificates are inherently secure and can be distributed in a completely public manner (for example, through publicly-accessible directory systems).

Users retrieving a public key from a certificate can be assured that the public key is valid. That is, users can trust that the certificate and its associated public key belong to the entity specified by the distinguished name. Users also trust that the public key is still within its defined validity period. In addition, users are assured that the public key may be used safely in the manner for which it was certified by the CA.

There are both Government and private sector certifying authorities in India.

Please visit the following link for the list of Licensed CAs in India