Introduction: The CCA / eSign / Digital Signature Audit
The Controller of Certifying Authorities (CCA) operates under the Ministry of Electronics and Information Technology (MeitY), Government of India, as the apex regulatory body for the Public Key Infrastructure (PKI) ecosystem established under the Information Technology Act, 2000. The CCA licenses and supervises Certifying Authorities (CAs), maintains the Root Certifying Authority of India (RCAI), and governs the entire trust chain that underpins legally recognised Digital Signature Certificates (DSCs) and the online eSign electronic signature service. Any organisation that issues, relies upon, or provides technology for digital signatures in India operates within a framework of statutory obligations, technical standards, and periodic compliance audits mandated by the CCA.
A CCA / eSign / Digital Signature Audit is a formal, evidence-based assessment that verifies whether a Certifying Authority, an eSign Service Provider (ESP), an Application Service Provider (ASP), or a subscriber-facing signing application conforms to the Information Technology Act 2000 (as amended by the IT Amendment Act 2008), the IT (Certifying Authorities) Rules 2000, the CCA's Interoperability Guidelines, the India PKI Certificate Policy (India PKI CP), the e-authentication guidelines for eSign, and the CCA's audit criteria checklist. The audit is not a one-time exercise: licensed CAs must undergo an annual compliance audit by a CCA-empanelled auditor, and eSign Service Providers must be independently audited before onboarding and periodically thereafter.
This guide is written for two audiences at once. For the auditor or assessor, it enumerates every control area, the specific evidence to demand, and the certification and testing lifecycle of the scheme. For the implementer or product team building a CA, an ESP/ASP integration, a signing workflow, or an eKYC-based eSign journey, it translates the regulatory requirements into concrete engineering, documentation, and operational deliverables. Throughout, we use the terminology, hierarchy, and requirement identifiers that appear in the CCA's own scheme documents so that findings can be mapped back to the source obligations.
Copyright and source note
This guide is original CyberSigma commentary. The Information Technology Act 2000, the IT (Certifying Authorities) Rules 2000, the India PKI Certificate Policy, the CCA Interoperability Guidelines, the e-authentication / eSign API specifications, and the CCA audit criteria are Government of India / MeitY publications. We paraphrase and interpret these instruments; we do not reproduce their copyrighted text. Always validate against the current versions published by the CCA (cca.gov.in) and MeitY, and against any circular or office memorandum in force at the time of audit.
What is the CCA / eSign / Digital Signature ecosystem
The Indian digital signature ecosystem is a hierarchical trust model rooted in statute. Section 3 of the IT Act gives legal recognition to digital signatures created using asymmetric cryptography and a hash function (a 'digital signature'), while Section 3A recognises 'electronic signatures' including the eSign online electronic signature service that is notified in the Second Schedule of the Act. The CCA sits at the top of the trust chain and performs both a regulatory and an operational role.
Core actors in the ecosystem
- Controller of Certifying Authorities (CCA): licenses CAs, operates the Root Certifying Authority of India (RCAI), publishes the India PKI CP and interoperability guidelines, empanels auditors, and runs the National Repository of Digital Certificates (NRDC).
- Root Certifying Authority of India (RCAI): the trust anchor whose self-signed root certificate signs the certificates of every licensed CA; the root private key is held in the CCA's secure facility.
- Certifying Authority (CA): a licensed entity (e.g. eMudhra, (n)Code Solutions, Capricorn, Sify, Vsign, IDSign, ProDigiSign, XtraTrust, National Informatics Centre CA) that issues Digital Signature Certificates to subscribers after identity verification.
- eSign Service Provider (ESP): a licensed CA (or an entity operating under a CA) that offers the online eSign service, generating a signature on the fly using a key pair created and destroyed within a single transaction after Aadhaar or PAN/organisational e-authentication.
- Application Service Provider (ASP): an organisation that integrates the eSign API into its own application to obtain signatures from its users (e.g. a bank, insurer, or fintech).
- Registration Authority (RA): a delegate of a CA that performs identity verification and enrolment of subscribers.
- Subscriber / signer: the individual or organisation whose identity is bound to the certificate and whose private key creates the signature.
- Relying party: any party that verifies and depends upon a digital signature or eSign.
Digital Signature Certificate vs eSign
A traditional Digital Signature Certificate (DSC) binds a long-lived key pair to a subscriber; the private key is held by the subscriber on secure hardware (a FIPS 140-2 Level 2/3 crypto token or HSM) and is used repeatedly. The eSign online service, by contrast, creates a short-lived (ephemeral) key pair inside the ESP's HSM at the moment of signing, authenticates the signer through Aadhaar eKYC (OTP, biometric, or offline XML) or through PAN/organisational KYC, applies the signature to the document hash, and then destroys the private key. eSign therefore removes the need for the signer to possess a crypto token, at the cost of a stronger real-time authentication and audit requirement on the ESP.
Who must comply
The obligation to be audited under the CCA scheme applies to every layer of the trust chain, but the depth of the audit varies by role. The table below summarises the applicability.
| Entity type | Nature of obligation | Audit trigger and frequency |
|---|
| Certifying Authority (CA) | Full licence conditions under IT Act s.21-34, CA Rules, India PKI CP/CPS | Pre-licence audit; annual compliance audit by CCA-empanelled auditor; ad-hoc audit on incident or complaint |
| eSign Service Provider (ESP) | e-authentication guidelines, eSign API spec, ESP CPS | Onboarding audit before go-live; annual audit; audit on major change to system |
| Application Service Provider (ASP) | Contractual and API-integration obligations; consent, logging, DPDP | Due diligence by ESP; ESP-driven periodic review; DPDP Act compliance |
| Registration Authority (RA) | Identity verification and enrolment controls delegated by CA | Covered within the CA's audit scope and the CA's oversight of RAs |
| Time Stamping Authority (TSA) | CCA TSA guidelines, RFC 3161, secure time source | Audit as part of, or aligned to, CA audit criteria |
| Government / enterprise relying parties | Signature verification, revocation checking, archival | Internal assurance; sectoral regulator audits (RBI, IRDAI, SEBI) where applicable |
| Trust Service / e-Sign integrators and product vendors | Conformance to interoperability and eSign API specifications | Interoperability testing with CCA; ESP acceptance testing |
Structure of the CCA / eSign audit scheme
The audit scheme is organised into control domains that mirror the lifecycle of a certification service: legal and licensing, governance and policy, physical and environmental, cryptographic and key management, certificate lifecycle, the eSign online service, identity and e-authentication, logging and audit trails, interoperability, business continuity, and privacy/data protection. The table below maps the domains to their principal source instruments and representative control identifiers used in the CCA audit criteria and India PKI CP.
| Domain | Scope | Primary source instrument |
|---|
| D1 Legal & Licensing | Licence validity, cross-certification, RCAI chaining, statutory notices | IT Act 2000 s.21-26; CA Rules 2000 |
| D2 Governance, Policy & CPS | Certificate Policy, Certification Practice Statement, roles, change control | India PKI CP; RFC 3647 CPS framework |
| D3 Physical & Environmental Security | Secure facility, tiered zones, access control, power, fire | CA Rules Schedule; India PKI CP s.5 |
| D4 Cryptographic & Key Management | HSM/FIPS levels, key generation, ceremony, escrow prohibition, algorithms | India PKI CP s.6; Interoperability Guidelines |
| D5 Certificate Lifecycle | Enrolment, issuance, renewal, revocation, CRL/OCSP, repository | India PKI CP s.3-4; CA Rules |
| D6 eSign Online Service | Ephemeral key, on-the-fly signing, ESP CPS, transaction integrity | e-authentication guidelines; eSign API v2.x/3.x |
| D7 Identity & e-Authentication | Aadhaar eKYC (OTP/bio/offline), PAN/org KYC, IAL/AAL mapping | UIDAI eKYC; eSign e-auth classes |
| D8 Logging, Audit Trail & Monitoring | Immutable logs, retention, time sync, SOC monitoring | India PKI CP s.5.4-5.5 |
| D9 Interoperability & Conformance | Certificate profile, IGDG guidelines, CRL/OCSP profiles | CCA Interoperability Guidelines |
| D10 Business Continuity & Incident | BCP/DR, compromise recovery, key ceremony recovery, incident response | India PKI CP s.5.7 |
| D11 Privacy & Data Protection | Personal data handling, DPDP Act 2023, Aadhaar data protection | DPDP Act 2023; UIDAI regulations |
| D12 Time Stamping | Trusted timestamp, RFC 3161, secure time source | CCA TSA guidelines |
Master assessment checklist
This is the operative heart of the audit. Below, each control domain is expanded with a table of what the auditor must verify and the typical evidence that satisfies each requirement. Implementers should treat the right-hand column as their deliverable list. No control area is omitted.
D1 — Legal, Licensing and Trust-Chain Controls
| What to verify | Typical evidence |
|---|
| CA holds a valid, unexpired licence granted by the CCA under IT Act s.21 | Licence certificate, licence number, validity dates, CCA grant letter |
| CA certificate is chained to and signed by RCAI; correct path validation | Certificate chain export, RCAI signature verification, path build test |
| Cross-certification and sub-CA relationships are authorised and documented | Cross-cert agreements, CCA approvals, sub-CA certificate policies |
| Statutory notices, disclosures and subscriber agreements meet CA Rules | Subscriber agreement templates, relying-party agreement, disclosure record |
| Suspension/revocation of licence conditions and surrender procedures defined | Wind-down plan, key destruction plan, subscriber notification procedure |
D2 — Governance, Certificate Policy and CPS
| What to verify | Typical evidence |
|---|
| Published Certification Practice Statement conforms to RFC 3647 structure and India PKI CP | Current CPS document, version history, CCA acknowledgement |
| CP/CPS covers all certificate classes issued (individual, organisational, document signer, device, SSL where applicable) | Certificate class matrix mapped to CP OIDs |
| Policy Management Authority / governance body defined with meeting cadence | PMA charter, minutes, approval records |
| Segregation of trusted roles (CA admin, RA officer, auditor, operator, security officer) | Role definition document, dual-control matrix, no-toxic-combination evidence |
| Change management, version control and CCA notification for material changes | Change log, CAB minutes, CCA change notifications |
| Documented compliance obligations for the DPDP Act 2023 and IT Act referenced | Compliance register, legal sign-off |
D3 — Physical and Environmental Security
| What to verify | Typical evidence |
|---|
| Tiered secure zones (public, operations, high-security/HSM room) with escalating controls | Site plan, zone map, security architecture document |
| Multi-factor and dual-person access control to the high-security zone | Access control logs, biometric enrolment, two-person integrity records |
| 24x7 CCTV coverage with retention meeting policy, and intrusion detection | CCTV footage retention config, IDS logs, alarm test records |
| Environmental controls: redundant power/UPS, HVAC, fire suppression, water sensors | Maintenance logs, UPS test, fire drill records, sensor calibration |
| Media handling, secure storage of backup keys, and offsite vaulting | Media inventory, safe/vault logs, offsite transport records |
| Visitor management and escort policy for the secure facility | Visitor register, escort logs, badge issuance records |
D4 — Cryptographic and Key Management Controls
| What to verify | Typical evidence |
|---|
| CA and RCAI signing keys generated and stored in FIPS 140-2 Level 3 (or higher) HSMs | HSM model/FIPS certificate, key generation attestation |
| Formal, scripted, witnessed key generation ceremony with independent auditor present | Key ceremony script, signed attestation, video record, IV notes |
| Approved algorithms and key sizes (RSA 2048/3072, ECC P-256/P-384, SHA-256 hashing) | Certificate parameters, algorithm policy, deprecation plan for SHA-1 |
| Private key never exported in clear; no key escrow of signing keys | HSM export policy, ceremony logs, CPS statement of no-escrow |
| Key backup under M-of-N control (split knowledge, dual control) | Key share custodian records, M-of-N scheme, secret-share ceremony log |
| Key activation, deactivation, destruction and end-of-life procedures | Activation data policy, destruction certificates, HSM zeroisation logs |
| Subscriber key protection: DSC keys on FIPS 140-2 L2/L3 tokens; eSign keys ephemeral in HSM | Token FIPS certificates, eSign HSM ephemeral-key attestation |
| Cryptoperiod defined for CA keys and enforced with rollover planning | Cryptoperiod schedule, key rollover runbook |
D5 — Certificate Lifecycle Management
| What to verify | Typical evidence |
|---|
| Subscriber enrolment includes verified identity per India PKI CP identity classes | Enrolment records, verified ID documents, RA verification logs |
| Certificate request, validation and issuance workflow with dual control | Issuance workflow, approval logs, four-eyes evidence |
| Certificate profile conforms to CCA interoperability certificate profile (fields, extensions, OIDs) | Sample certificates parsed, profile conformance report |
| Renewal, re-key and modification procedures with re-verification of identity | Renewal records, re-key policy, re-verification evidence |
| Revocation on compromise/request within defined SLA; CRL issued at required interval | Revocation requests, CRL issuance timestamps, SLA metrics |
| OCSP responder available, signed, and returns correct status | OCSP endpoint test, responder certificate, status query logs |
| Public repository (directory / NRDC feed) publishes certificates and CRLs | Repository availability logs, publication records |
| Certificate serial numbers unique and unpredictable; no re-use | Serial-number generation logic review, uniqueness test |
D6 — eSign Online Electronic Signature Service
| What to verify | Typical evidence |
|---|
| ESP CPS approved and eSign service operated per e-authentication guidelines | ESP CPS, CCA approval, service description |
| Ephemeral key pair generated inside HSM per transaction and destroyed after signing | HSM logs of key create/destroy events, transaction correlation IDs |
| Only the document hash is transmitted to the ESP; document content never leaves ASP unnecessarily | API request/response captures, data-flow diagram, hash-only proof |
| eSign API version (v2.1 / v3.x as applicable) implemented correctly incl. XML signature | API conformance test results, sample signed responses |
| Signature applied is a valid PKCS#7/CMS or PAdES structure with correct signer certificate | Signed PDF/CMS parsed, PAdES/LTV validation report |
| Transaction response includes signer KYC binding and audit reference | eSign response XML, KYC hash, transaction ID mapping |
| ASP onboarding, contract, and per-transaction consent captured and logged | ASP agreements, consent artefacts, consent audit trail |
| Rate limiting, replay protection and message integrity on the eSign API | WAF/API gateway config, nonce/timestamp validation, TLS config |
D7 — Identity and e-Authentication (Assurance Levels)
The eSign scheme defines e-authentication classes analogous to identity and authentication assurance levels. Aadhaar-OTP, Aadhaar-biometric, Aadhaar-offline-XML, and PAN/organisational KYC each carry a different assurance weight. Auditors must confirm that the assurance level asserted in the certificate/response matches the actual authentication performed.
| What to verify | Typical evidence |
|---|
| Authentication method (OTP / fingerprint / iris / offline XML / PAN-org KYC) recorded per transaction | Authentication logs, UIDAI auth response codes, method flag in eSign response |
| Aadhaar eKYC performed via licensed KUA/AUA channel with valid licence key | UIDAI KUA/AUA licence, eKYC response, encrypted PID block handling |
| Biometric class used for higher-assurance signing where mandated; OTP for lower-assurance | Class-to-use-case mapping, sectoral requirement mapping |
| Consent and purpose captured before eKYC per UIDAI and DPDP requirements | Consent screen artefacts, consent logs, purpose declaration |
| Aadhaar number not stored in clear; only reference/token (VID/reference key) retained | Data-at-rest review, tokenisation evidence, no-Aadhaar-storage attestation |
| Assurance level asserted in signature matches authentication actually performed | Cross-check of response class vs auth method logs |
D8 — Logging, Audit Trail and Monitoring
| What to verify | Typical evidence |
|---|
| All security-significant events logged: key ops, issuance, revocation, access, eSign transactions | Log schema, sample logs, event catalogue |
| Logs are tamper-evident/immutable (WORM, hashing, or signed log chains) | Log integrity mechanism, hash-chain verification, WORM config |
| Log retention meets India PKI CP / CA Rules retention period (typically 7 years / life of cert +) | Retention policy, archival index, retrieval test |
| Accurate, synchronised time via NTP to a trusted source across all systems | NTP config, time-drift monitoring, TSA time source |
| Security monitoring / SOC with alerting on anomalous access and failed auth | SIEM use-cases, alert records, SOC runbook |
| Regular independent review of audit logs by security officer | Log-review sign-offs, review cadence records |
D9 — Interoperability and Conformance
| What to verify | Typical evidence |
|---|
| Certificate, CRL and OCSP profiles conform to CCA Interoperability Guidelines | Profile conformance test report, parsed samples |
| Signed documents validate in reference verifiers and third-party CA-agnostic tools | Cross-validation report, verification screenshots/logs |
| Interoperability testing with CCA completed for new/updated systems | CCA interop test certificate/sign-off |
| Long-term validation (LTV) and archival timestamp support for PAdES/CAdES | LTV validation output, DSS/VRI presence check |
| Support for required signature policies and document formats (PDF, XML/DSC, CMS) | Format support matrix, signed sample set |
D10 — Business Continuity, DR and Incident Response
| What to verify | Typical evidence |
|---|
| Documented and tested BCP/DR with defined RTO/RPO for CA and eSign services | BCP/DR plan, DR test report, RTO/RPO metrics |
| CA key compromise recovery plan including revocation, re-key, subscriber notification | Compromise runbook, tabletop exercise records |
| Redundant HSMs and geographically separated DR site with key material replication controls | DR architecture, HSM replication policy, failover test |
| Incident response plan aligned to IT Act reporting and CERT-In directions (six-hour reporting) | IRP document, CERT-In reporting template, past incident records |
| Backup and restore of CA database, certificates and logs tested periodically | Backup schedule, restore test evidence |
D11 — Privacy and Data Protection
| What to verify | Typical evidence |
|---|
| Personal data processing meets DPDP Act 2023: notice, consent, purpose limitation | Privacy notice, consent records, DPDP compliance register |
| Aadhaar data handled per UIDAI regulations; PID blocks encrypted end-to-end | Encryption evidence, UIDAI compliance attestation |
| Data retention and deletion schedule for personal and KYC data | Retention/deletion policy, deletion logs |
| Data breach notification process to Data Protection Board and affected persons | Breach notification procedure, contact register |
| Third-party/ASP data-sharing governed by contract and data-processing terms | DPAs, sub-processor register |
D12 — Time Stamping
| What to verify | Typical evidence |
|---|
| Timestamp tokens conform to RFC 3161 and CCA TSA guidelines | Sample TST parsed, TSA policy OID check |
| TSA time synchronised to a trusted/traceable time source with drift monitoring | Time source documentation, drift logs, calibration record |
| TSA signing key protected in HSM with cryptoperiod and rollover | HSM attestation, TSA key policy |
| Timestamps embedded in signatures support long-term validation | LTV/archival timestamp presence in sample signatures |
Scoping the audit
Scoping determines which domains, systems, and locations fall inside the audit boundary. A precise scope statement prevents both over-auditing (wasted effort) and under-auditing (findings gaps that invalidate the assurance). Scope is driven by the entity's role and the services in production.
- Role determination: is the entity a CA, an ESP, an ASP, an RA, or a TSA? Each role activates a different subset of domains D1-D12.
- Service inventory: which certificate classes and which eSign authentication classes (Aadhaar OTP/bio/offline, PAN/org) are live? Only in-scope services are tested.
- System boundary: CA management systems, HSMs, RA workstations, eSign gateway, eKYC connectors, repository/OCSP, SIEM, and backup/DR sites.
- Location boundary: primary data centre, DR site, offsite key vault, and RA offices performing identity verification.
- Interfaces: eSign API to ASPs, UIDAI/PAN KYC connectors, and the RCAI chaining interface to the CCA.
- Data classification: personal data, Aadhaar/KYC data, private keys, and audit logs — each attracts specific controls.
- Exclusions: any decommissioned service or non-production environment must be explicitly excluded and justified in the scope statement.
Implementation approach (phased)
For an implementer standing up or remediating a CA/ESP capability, the following phased approach sequences the work so that governance and cryptographic foundations precede service go-live and audit.
Phase 1 — Discovery and Gap Assessment
- Activities: confirm role, map current state to D1-D12, review existing CP/CPS, inventory HSMs and systems, run a control-by-control gap analysis against the CCA audit criteria.
- Deliverables: scope statement, gap register with severity, remediation roadmap, licence/role confirmation.
Phase 2 — Policy, Governance and CPS
- Activities: author/update the Certificate Policy and CPS to RFC 3647, define trusted roles and segregation, establish the Policy Management Authority, build the change-management process, and align to DPDP Act.
- Deliverables: approved CP/CPS, role matrix, PMA charter, policy suite, compliance register.
Phase 3 — Cryptographic and Infrastructure Build
- Activities: procure and configure FIPS 140-2 L3 HSMs, design tiered secure facility, run the witnessed key generation ceremony, implement CA/eSign software, and configure repository/CRL/OCSP.
- Deliverables: key ceremony records, HSM attestations, hardened infrastructure, secure facility, certificate profiles.
Phase 4 — eSign and e-Authentication Integration
- Activities: integrate eSign API and eKYC (KUA/AUA) channels, implement ephemeral-key signing, consent capture, PAdES/CMS output, replay protection, and ASP onboarding workflow.
- Deliverables: eSign gateway, API conformance results, consent artefacts, ASP agreements, signed sample set.
Phase 5 — Logging, Monitoring and Continuity
- Activities: deploy tamper-evident logging, SIEM/SOC use-cases, NTP time sync, BCP/DR, incident response aligned to CERT-In, and backup/restore testing.
- Deliverables: immutable log pipeline, SOC runbook, tested DR, IRP, backup evidence.
Phase 6 — Interoperability, Audit and Go-Live
- Activities: complete CCA interoperability testing, engage the CCA-empanelled auditor, remediate findings, and secure go-live / licence approval.
- Deliverables: interop sign-off, audit report, remediation closure evidence, go-live approval.
Maturity and capability scoring model
While the CCA audit is fundamentally a pass/comply assessment against mandatory criteria, a maturity model is useful for tracking readiness and continuous improvement between mandatory audits. The following five-level model helps implementers and auditors gauge control maturity per domain.
| Level | Name | Description | Typical indicator |
|---|
| L0 | Absent | Control not present or not documented | No CPS, no HSM, ad-hoc issuance |
| L1 | Initial | Control exists informally, inconsistent execution | Draft CPS, single-person key control, manual logs |
| L2 | Defined | Control documented and repeatable across the team | Approved CPS, dual control, standard runbooks |
| L3 | Managed | Control measured, evidenced, and reviewed periodically | KPIs tracked, log reviews, tested DR |
| L4 | Optimised | Control automated, continuously monitored, and improved | Automated CRL/OCSP, SIEM correlation, key rollover automation |
For a CCA audit pass, every mandatory control area must reach at least L2 (Defined) with objective evidence; high-risk cryptographic and eSign controls (D4, D6, D7) should reach L3 (Managed) or higher.
Assessment and audit approach
- Engagement and scoping: confirm entity role, agree the scope statement, and identify the applicable domains and control identifiers.
- Document review: obtain and review CP/CPS, policies, licence, key ceremony records, and prior audit reports.
- Control walkthrough: interview trusted-role holders and walk through certificate issuance, revocation, and an eSign transaction end to end.
- Technical testing: parse sample certificates/CRLs/OCSP, validate signed documents, inspect HSM configuration, and test eSign API conformance.
- Sampling: select a statistically defensible sample of issuance, revocation, and eSign transactions for evidence verification.
- Physical inspection: inspect the secure facility, HSM room, access controls, CCTV, and environmental systems.
- Log and audit-trail review: verify immutability, retention, time sync, and completeness of security events.
- Gap and finding classification: rate each finding as critical, major, or minor against the mandatory criteria.
- Remediation and re-test: agree corrective actions, timelines, and re-test closed findings before sign-off.
- Reporting and attestation: issue the audit report to the entity and, where required, to the CCA, with the auditor's attestation.
Evidence request list
The following categorised list is what an auditor will request up front and what an implementer should assemble as an evidence pack.
Legal and governance evidence
- Valid CCA licence, RCAI chaining proof, and cross-certification approvals
- Current CP and CPS with version history and PMA minutes
- Trusted-role matrix and segregation-of-duties documentation
- DPDP Act and IT Act compliance register and legal sign-offs
Cryptographic and infrastructure evidence
- HSM FIPS 140-2 certificates and key generation ceremony records
- M-of-N key custodian records and key destruction certificates
- Algorithm and cryptoperiod policy with rollover plans
- Secure facility site plan, access logs, CCTV and environmental records
Certificate and eSign operations evidence
- Sample certificates, CRLs, OCSP responses and profile conformance reports
- eSign API conformance results and signed sample documents (PAdES/CMS)
- eKYC/authentication logs, consent artefacts, and ASP agreements
- Revocation records with SLA metrics and repository publication logs
Monitoring, continuity and privacy evidence
- Immutable log samples, retention policy, and NTP/time-sync configuration
- SIEM/SOC use-cases, alert records, and log-review sign-offs
- BCP/DR plan, DR test report, and incident response records
- Privacy notices, consent logs, and data deletion/retention evidence
Roles and responsibilities
| Role | Responsibility | Segregation note |
|---|
| CA Administrator | Manages CA software, issuance policy, and certificate profiles | Must not hold RA verification or audit-log review rights |
| Security Officer / CISO | Owns security policy, key ceremony oversight, and log review | Independent of day-to-day issuance operations |
| Registration Authority Officer | Verifies subscriber identity and approves enrolment | Cannot self-approve or issue certificates directly |
| HSM / Key Custodian | Holds M-of-N key shares and participates in ceremonies | Multiple custodians; no single person holds threshold |
| eSign Operations Lead | Runs eSign gateway, ASP onboarding, and eKYC connectors | Separated from certificate revocation authority |
| Internal Auditor | Reviews controls and prepares for the empanelled audit | Independent of operational teams being audited |
| CCA-Empanelled Auditor | Performs the statutory compliance audit and attestation | External and independent of the entity |
| Data Protection Officer | Owns DPDP compliance, consent, and breach notification | Advisory and oversight, not operational key control |
KPIs to track
- Certificate revocation SLA adherence (percentage revoked within the mandated window)
- CRL issuance timeliness and OCSP responder availability (uptime percentage)
- eSign transaction success rate and failed-authentication rate by class
- Mean time to detect and respond to security incidents
- Percentage of eSign transactions with complete consent and audit trail
- Key ceremony and HSM health check completion against schedule
- Number of audit findings by severity and time-to-close remediation
- DR test success rate against defined RTO/RPO
- Log integrity verification pass rate and retention compliance
- Interoperability validation pass rate for issued certificates and signatures
Readiness checklist
- Valid CCA licence and RCAI chaining verified
- CP and CPS published, current, and RFC 3647 conformant
- Trusted roles defined with enforced segregation of duties
- FIPS 140-2 Level 3 HSMs in production with witnessed key ceremony records
- M-of-N key custody and documented key destruction procedures in place
- Certificate profiles conform to CCA interoperability guidelines
- CRL issued on schedule and OCSP responder live and correct
- eSign ephemeral-key signing verified with per-transaction key destruction logs
- eKYC via licensed KUA/AUA with consent capture and no Aadhaar-in-clear storage
- Assurance level asserted matches authentication method performed
- Tamper-evident logging with policy-compliant retention and NTP time sync
- Secure facility zones, access control, CCTV, and environmental controls operational
- BCP/DR tested against RTO/RPO and key-compromise recovery runbook exercised
- Incident response aligned to CERT-In six-hour reporting
- DPDP Act consent, notice, retention, and breach processes implemented
- Interoperability testing with CCA completed and signed off
- Evidence pack assembled and prior audit findings closed
Common gaps
- CPS out of date or not fully aligned to the current India PKI CP and interoperability guidelines.
- Single-person control over HSM activation or key shares, breaching M-of-N and segregation requirements.
- eSign key-destruction events not conclusively logged, leaving doubt over ephemeral-key handling.
- Aadhaar or KYC data stored in clear or retained beyond the permitted period.
- Assurance level asserted in the signature not matching the actual authentication method used.
- CRL issuance delays or OCSP responder outages breaching availability expectations.
- Certificate profile deviations (missing extensions or wrong OIDs) failing interoperability validation.
- Audit logs not tamper-evident, or retention below the mandated period.
- Time synchronisation drift undermining timestamp and audit-trail reliability.
- BCP/DR untested, or key-compromise recovery plan absent or unexercised.
- Consent artefacts for eKYC and eSign incomplete or not linked to the transaction.
- Incident response not aligned to CERT-In reporting timelines and DPDP breach notification.
CCA / eSign mapped to other frameworks
CA/ESP operators frequently need to demonstrate compliance across multiple regimes. The table maps CCA / eSign control areas to related frameworks so that evidence can be reused.
| CCA / eSign domain | ISO/IEC 27001 | WebTrust for CA / ETSI | NIST 800-63 / SP 800-57 |
|---|
| Governance, CP/CPS (D2) | A.5 Organisational controls | WebTrust Principle: Business Practices; ETSI EN 319 401 | 800-63A identity governance |
| Cryptographic & key mgmt (D4) | A.8 Cryptography controls | WebTrust Key Lifecycle; ETSI EN 319 411 | SP 800-57 key management |
| Certificate lifecycle (D5) | A.8 Technological controls | WebTrust CA Environmental/CP; ETSI EN 319 411-1 | 800-63 credential lifecycle |
| eSign & e-authentication (D6/D7) | A.8 Authentication controls | ETSI EN 319 421/422 (signing/TSA) | 800-63 IAL/AAL/FAL assurance |
| Physical security (D3) | A.7 Physical controls | WebTrust Physical Security | SP 800-53 PE family |
| Logging & monitoring (D8) | A.8 Logging & monitoring | WebTrust Monitoring; ETSI audit logs | SP 800-92 log management |
| Continuity & incident (D10) | A.5.29 / A.5.30 continuity | WebTrust Disaster Recovery | SP 800-34 contingency planning |
| Privacy & data protection (D11) | A.5.34 privacy; ISO 27701 | ETSI privacy requirements | NIST Privacy Framework |
How CyberSigma helps
CyberSigma is a CERT-In empanelled auditor with deep PKI, eSign, and eKYC assurance experience. We take CA operators, eSign Service Providers, and ASP integrators from gap assessment to CCA audit readiness and beyond: mapping your current state to all twelve control domains, authoring or refreshing your CP/CPS to the India PKI CP and RFC 3647, running witnessed HSM key ceremonies, validating certificate and signature profiles against the CCA interoperability guidelines, hardening your eSign ephemeral-key and eKYC consent flows for DPDP alignment, and preparing a complete evidence pack for the empanelled audit. Whether you are launching a new certification service or remediating findings before your annual audit, CyberSigma delivers auditor-grade rigour with an implementer's pragmatism. Contact us to scope your CCA / eSign / Digital Signature audit engagement.