General

Digital Signatures and Certificates

A digital signature is an electronic form of a signature that can be used to authenticate the identity of the sender of a message or the signer of a document, and also ensure that the original content of the message or document that has been sent is unchanged. Digital signatures are easily transportable and cannot be imitated by someone else. The ability to ensure that the original signed message arrived means that the sender cannot easily disclaim it later.

Digital Signature Certificates (DSC) is the electronic format of physical or paper certificate like a driving License, passport etc. Certificates serve as proof of identity of an individual for a certain purpose; for example, a Passport identifies someone as a citizen of that country; who can legally travel to any country. Likewise, a Digital Signature Certificate can be presented electronically to prove your identity, to access information or services on the Internet or to sign certain documents digitally.

3. Why do I need a Digital Signature Certificate?

A Digital Signature Certificate authenticates your identity electronically. It also provides you with a high level of security for your online transactions by ensuring absolute privacy of the information exchanged using a Digital Signature Certificate. You can use certificates to encrypt information such that only the intended recipient can read it. You can digitally sign information to assure the recipient that it has not been changed in transit, and also verify your identity as the sender of the message.  

4. Where can I purchase a Digital Signature Certificate?

Legally valid Digital Signature Certificates are issued only through a Controller of Certifying Authorities (CCA), Govt. of India, licensed Certifying Authorities (CA), such as IDRBT CA. IDRBT CA, a Certifying Authority (CA) licensed by CCA, offers secure digital signatures through various options tailored to suit individual as well as organizational needs.  

5. Where can I use Digital Signature Certificates?

You can use Digital Signature Certificates for the following:

• For sending and receiving digitally signed and encrypted emails.

• For carrying out secure web-based transactions, or to identify other participants of web-based transactions.

• In eTendering, eProcurement, MCA [for Registrar of Companies efiling], Income Tax [for efiling income tax returns] Applications and also in many other applications.

• For signing documents like MSWord, MSExcel and PDFs.

• Plays a pivotal role in creating a paperless office.

6. How does a Digital Signature Certificate work?

A Digital Signature Certificate explicitly associates the identity of an individual/device with a pair of electronic keys - public and private keys - and this association is endorsed by the CA. The certificate contains information about a user's identity (for example, their name, pincode, country, email address, the date the certificate was issued and the name of the Certifying Authority that issued it). These keys complement each other in that one does not function in the absence of the other. They are used by browsers and servers to encrypt and decrypt information regarding the identity of the certificate user during information exchange processes.
The private key is stored on the user's computer hard disk or on an external device such as a token. The user retains control of the private key; it can only be used with the issued password. The public key is disseminated with the encrypted information. The authentication process fails if either one of these keys in not available or do not match. This means that the encrypted data cannot be decrypted and therefore, is inaccessible to unauthorized parties.

7. Are Digital Signatures Certificate legally valid in India?

Yes, subsequent to the enactment of Information Technology Act 2000 in India, Digital Signature Certificates are legally valid in India.

Digital Signature Certificates are issued by licensed Certifying Authorities under the Ministry of Information Technology, Government of India as per the Information Technology Act.

8. What is the difference between a Digital Signature and a Digital Signature Certificate?

A digital signature is an electronic method of signing an electronic document whereas a Digital Signature Certificate is a computer based record that

• Identifies the Certifying Authority issuing it.

• Have the name and other details that can identify the subscriber.

• Contains the subscriber's public key.

• Is digitally signed by the Certifying Authority issuing it.

• Is valid for either one year or two years.

9. Why do I need a digital certificate?

10. Who is eligible for a digital certificate from IDRBT CA ? 

IDRBT CA offers Certification Services for the employees of Banks and Financial Institutions , Servers used for various bank applications and to Government Organisations who are the members of the Indian Financial Network (INFINET).

Digital Signature Usage

1. Can I use one Digital Signature Certificate for multiple e-mail addresses?

No, you cannot. A digital signature certificate can have only one email address.

2. Can I use digital signature certificate in e-tendering systems?

Digital signature certificates in e-tendering systems are allowed, but based on the service provider.

3. Can digital signature certificates be used in wireless networks?

Yes, digital signature certificates can be employed in wireless networks.

4. Am I allowed to use one web server certificate (SSL) for more than one website?

No. You will not be able to use one SSL certificate on different websites with different domain names because the certificate is explicitly associated with the exact host and domain name. A wild card SSL certificate can be issued that can support different sub domains like abc.IDRBT.com, def.IDRBT.com etc.

Regulatory

1. What is a Certifying Authority (CA)?

A Certifying Authority is a trusted agency whose central responsibility is to issue, revoke, renew and provide directories for Digital Signature Certificates. According to Section 24 of the Information Technology Act 2000, "Certifying Authority" means a person who has been granted a license to issue Digital Signature Certificates.

2. Who can be a Certifying Authority (CA)?

The IT Act 2000 details the prerequisites of a CA. Accordingly, a prospective CA has to establish the required infrastructure, get it audited by the auditors appointed by the office of Controller of Certifying Authorities. Subsequent to complete compliance of all requirements, a license to operate as a Certifying Authority can be obtained. The license is issued by the Controller of Certifying Authorities, Ministry of Information Technology, and Government of India.

3. What is a Registration Authority (RA)?  

A RA (Registration Authority) is an agent of the Certifying Authority who collects the application forms and related documents for Digital Signature Certificates, verifies the information submitted and approves or rejects the application based on the results of the verification process.  

4. What is the role of CCA?  

The Controller of Certifying Authorities (CCA) is a Government of India undertaking that license and regulate the working of Certifying Authorities.

The CCA certifies the public keys of CAs, which enables users in the cyberspace to verify that a given certificate is issued by a licensed CA. For this purpose, CCA operates, the Root Certifying Authority of India (RCAI).
The CCA also maintains the National Repository of Digital Signature Certificate (NRDC), which contains all the certificates issued by all the CAs in the country.

5. What is NRDC?

In accordance with Section 20 of the IT Act, NRDC is a national repository maintained by the CCA that contains all Digital Signature Certificates and CRLs issued by all the licensed CAs. It also contains all the Digital Signature Certificates and CRLs issued by the CCA through its RCAI. All Relying Parties are allowed to verify the authenticity of a CA's public keys from this repository.

6. What is RCAI?

RCAI is the Root Certifying Authority of India. It was established by the CCA under Section 18(b) of the IT Act and is responsible for digitally signing the public keys of all the licensed CAs in the country. The RCAI root certificate is the highest level of certification in the country. The RCAI root certificate is a self-signed certificate.

The key activities of the RCAI include:

• Digitally signing licenses issued by CCA to CA

• Digitally signing public keys corresponding to private keys of a CA

• Ensuring availability of these signed certificates for verification by a Relying Party through the CCA or CA website

Repository

1. What is a CRL?

The Certificate Revocation List (CRL) is a list of certificates that have been revoked by the CA, and are therefore no longer valid.

2. What is a CPS?

The Certificate Practice Statement (CPS) is a statement of the practices that a Certification Authority (CA) employs for issuing and managing certificates. A CPS may take the form of a declaration by the CA of the details of its system's trustworthiness and the practices that it employs both in its operations and in its support of issuance of a certificate.

3. What is a CP?

Certifying Authorities issue Digital Signature Certificates that are appropriate to specific purposes or applications. A Certificate Policy (CP) describes the different classes of certificates issued by the CA, the procedures governing their issuance and revocation and terms of usage of such certificates, besides information regarding the rules governing the different uses of these certificates.

4. What is Subscriber Agreement?

A Subscriber Agreement is an agreement between Subscriber and IDRBT CA stating that the subscriber will use the Digital Signature Certificate for the assigned use or objective and that the subscriber is solely responsible for the protection of the private key and ensuring functionality of the unique key pair. The subscriber also agrees through the Subscriber Agreement that all the information provided to IDRBT CA at the time of registration is accurate. In the event of any change in information, the subscriber is obliged to immediately inform IDRBT CA.

IDRBT CA is not responsible for any legal disputes arising due to misrepresentation on the part of the subscriber.

FAQ- Registration and Application

Apply And Download

1. How long will it take for the application to be processed?

DSC issuance would require < No. of days should be filled by IDRBT here > business days from the date of applying/application.

2. How do I apply for a digital signature certificate through IDRBT?

IDRBT provides the easiest and most reliable way to obtain your Digital Signature Certificates. You can obtain them in one of the following ways:

Directly through portal i.e. < IDRBT to provide URL of portal > business days from the date of applying/application.

• Apply using our online registration wizard

• Make payment online

• Pickup of application form by IDRBT CA

Please note that applications for Class 2 and Class 3 require verification and clearance for certificate issuance by concerned authority.

For queries and assistance in completing your registration/application, contact our Help Desk or send us an e-mail.

3. What are the different steps involved in processing an application for a Digital Signature Certificate?

Application processing for Digital Signature Certificates comprises of three phases:

• Phase 1 - Filling up of application

• Phase 2 - Payment/Document Submission

• Phase 3 - Download of the certificate

Phase 1 - Filling up of application

If you are applying for the Digital Signature Certificate online through the IDRBT portal, you need to fill out an online Digital Signature Certificate application specifying the User Type, Certificate class etc.

Phase 2 - Payment/Document Submission

This phase requires you to make the payment for the application and submit the necessary documents.
If you are applying online, then after filing up of online application, the user is redirected to payment gateway for making payment. Pickup of application form & supporting documents will be done by IDRBT CA [Subject to availability of pickup facility in the specified city/town]

Phase 3 - Download of the certificate

After successful verification of the documents, IDRBT shall be sending an email containing certificate download credentials. Using the credentials provided by IDRBT CA, you can logon to IDRBT CA portal and download digital signature certificate on to the token.

4. I'm trying to apply for a new Digital Signature Certificate. What 'Certificate Class' should I select?

Selection of certificate class depends completely on your usage and security requirements. A rough guideline is provided below on the applicability of various levels of certification:

Class 2 - if you need to use the certificate for signing documents, encryption and electronic access control in transactions where proof of identity based on information in the Validating Database is sufficient class.

Class 3 - for transactions that require a high degree of security and privacy due to exchange of extremely sensitive information that requires unequivocal authentication of the subscriber's identity. Some of the common transactions requiring Class 3 certificates are e-commerce, electronic data interchange by banks, etc.

5. I'm trying to apply for a new Digital Signature Certificate. What 'Certificate Type' should I select?

Selection of a certificate type depends completely on your requirement. The options available to you are:

• Signature - Certificate with this key usage, can be used for only digitally signing documents, emails and online transactions.

• Encryption - Certificate with this key usage, can be used for only encrypting documents, emails and online transactions.

6. I'm trying to apply for a new Digital Signature Certificate. What 'Type of Token' should I select?

Selection of a token type depends completely on your requirement. The options available to you are:

• Soft Token - If you would like to download the Digital Signature Certificate to your local machine and use it from that specific machine only

• USB Token - If you would like to download the Digital Signature Certificate to a USB Token or a Smart card and use it from multiple machines

7. Why do I need to submit documents for a Digital Signature Certificate?

A Digital Signature Certificate has almost the same importance in the digital world as your Passport or PAN card does in the physical world. Therefore, all information displayed on your Digital Signature Certificate needs to be verified before the certificate can be issued.

8. What are the documents I need to submit to get a Digital Signature Certificate?

The following documents are required for all classes 2 and 3 and Server Certificates For an individual

• Attested copy of any one of the following as identity proof (attestation may be by any Gazetted Officer/Bank Manager)
  IDRBT TO PROVIDE THE DOCUMENT LIST

• Attested copy of any one of the following as Address Proof (attestation may be by any Gazetted Officer/Bank Manager)
  IDRBT TO PROVIDE THE DOCUMENT LIST

For an Organization

• Attested copy of any one of the following as Identity Proof (attestation may be by any Gazetted Officer/Bank Manager)
  IDRBT TO PROVIDE THE DOCUMENT LIST

• Authorization letter in favor of the certificate applicant from the organization

• Domain Name registration proof from the registrar of Domains (if applying for Server Certificate)

9. Do I have to be physically present for verification of identity when my application is being processed?

Physical presence is mandatory only for verification of applicants seeking Class 3 type Digital Signature Certificates.

10. What is the reason for refusal of my request for a Digital Signature Certificate?

IDRBT CA follows stringent verification procedures as laid down by Govt. of India. Refusal to issue a Digital Signature Certificate is a result of Incomplete application, information or wrong information is the common causes for such refusal.

11. Can I be sure that my confidential information will not be misused during enrollment for obtaining a Digital Signature Certificate?

IDRBT CA has a strict policy on the use of applicant and customer information. IDRBT CA will not disclose such information, except as required by the law.

12. I have submitted my application for Digital Signature Certificate, but now I have decided to cancel my request. Will I get a refund?

No, the IDRBT CA does not provide any refund of fees paid for the digital signature certificates.

Revocation

1. Some of the details in my Digital Signature Certificate are incorrect. Can these be corrected?

No, details cannot be changed. You need to revoke the current certificate and apply for a new one by following the same process as the one you used for the earlier certificate. IDRBT CA provides a facility where in you can check for the correctness of your details just before downloading of the digital signature certificate. If you are not satisfied with your details displayed, you can reject the application.

2. What is Certificate Revocation?

A Digital Signature Certificate can be revoked under circumstances such as the following

• Users suspect compromise of certificate private key. LIST

• Change of personal data.

• Change of relationship with the organization

Revocation of Certificates can be done either online IDRBT CA portal or by contacting the nearest RA. The revocation request will be processed within < IDRBT has to provide no. days > working days from the receipt date.

4. Can someone other than the subscriber revoke a certificate?

No, revocation is restricted to:

• The Subscriber in whose name the certificate has been issued.

• A duly authorized representative of the subscriber

• Authorized personnel of IDRBT CA or RA when the subscriber has breached the agreement, regulation, or law that may be in force

5. Where can I check whether my IDRBT Digital Signature Certificate is revoked or not?

6. How can I renew my Digital Signature Certificate?

You can visit IDRBT CA portal for renewal of your Digital Signature Certificate.

Protection and Recovery

1. How do I protect my Digital Signature Certificate/Private key?

• Protect your computer from unauthorized access by keeping it physically secure

• Use access control products or operating system protection features (such as a system password)

• Always protect your private key with a good password

• It is better download the digital signature certificate on to the crypto token which is more secure and tamper proof

2. What do I do if someone copies my Digital Signature Certificate?

Your Digital Signature Certificate cannot be used without your private key. To maintain security, your private key should be protected by a password and never sent across any network. However, you do want your Digital Signature Certificate (which contains your public key) to be available to other users so that they can verify your right to use the Digital Signature Certificate, decrypt messages that you have encrypted with your private key, and verify your digital signatures.

3. I have forgotten my private key password. Can someone change it for me?

No. If you have forgotten your private key password, you will have to apply for a new Digital Signature Certificate

4. I have lost the Smart Card / USB Token containing my certificate and cryptographic keys. What do I do?

Please contact your nearest RA Administrator immediately to get your certificate suspended to avoid unauthorized access to it.

5. Will I lose my Digital Signature Certificate if my hard drive is formatted or crashed?

If you have a soft token and if the hard drive is formatted or has crashed, the Digital Signature Certificate will be deleted.