Knowledge Center / CCA / eSign
CCA (MeitY) · India

CCA / eSign / Digital Signature Audit

Audit of Certifying Authorities, eSign and digital-signature ecosystems.

Introduction: The CCA / eSign / Digital Signature Audit

The Controller of Certifying Authorities (CCA) operates under the Ministry of Electronics and Information Technology (MeitY), Government of India, as the apex regulatory body for the Public Key Infrastructure (PKI) ecosystem established under the Information Technology Act, 2000. The CCA licenses and supervises Certifying Authorities (CAs), maintains the Root Certifying Authority of India (RCAI), and governs the entire trust chain that underpins legally recognised Digital Signature Certificates (DSCs) and the online eSign electronic signature service. Any organisation that issues, relies upon, or provides technology for digital signatures in India operates within a framework of statutory obligations, technical standards, and periodic compliance audits mandated by the CCA.

A CCA / eSign / Digital Signature Audit is a formal, evidence-based assessment that verifies whether a Certifying Authority, an eSign Service Provider (ESP), an Application Service Provider (ASP), or a subscriber-facing signing application conforms to the Information Technology Act 2000 (as amended by the IT Amendment Act 2008), the IT (Certifying Authorities) Rules 2000, the CCA's Interoperability Guidelines, the India PKI Certificate Policy (India PKI CP), the e-authentication guidelines for eSign, and the CCA's audit criteria checklist. The audit is not a one-time exercise: licensed CAs must undergo an annual compliance audit by a CCA-empanelled auditor, and eSign Service Providers must be independently audited before onboarding and periodically thereafter.

This guide is written for two audiences at once. For the auditor or assessor, it enumerates every control area, the specific evidence to demand, and the certification and testing lifecycle of the scheme. For the implementer or product team building a CA, an ESP/ASP integration, a signing workflow, or an eKYC-based eSign journey, it translates the regulatory requirements into concrete engineering, documentation, and operational deliverables. Throughout, we use the terminology, hierarchy, and requirement identifiers that appear in the CCA's own scheme documents so that findings can be mapped back to the source obligations.

Copyright and source note
This guide is original CyberSigma commentary. The Information Technology Act 2000, the IT (Certifying Authorities) Rules 2000, the India PKI Certificate Policy, the CCA Interoperability Guidelines, the e-authentication / eSign API specifications, and the CCA audit criteria are Government of India / MeitY publications. We paraphrase and interpret these instruments; we do not reproduce their copyrighted text. Always validate against the current versions published by the CCA (cca.gov.in) and MeitY, and against any circular or office memorandum in force at the time of audit.

What is the CCA / eSign / Digital Signature ecosystem

The Indian digital signature ecosystem is a hierarchical trust model rooted in statute. Section 3 of the IT Act gives legal recognition to digital signatures created using asymmetric cryptography and a hash function (a 'digital signature'), while Section 3A recognises 'electronic signatures' including the eSign online electronic signature service that is notified in the Second Schedule of the Act. The CCA sits at the top of the trust chain and performs both a regulatory and an operational role.

Core actors in the ecosystem

  • Controller of Certifying Authorities (CCA): licenses CAs, operates the Root Certifying Authority of India (RCAI), publishes the India PKI CP and interoperability guidelines, empanels auditors, and runs the National Repository of Digital Certificates (NRDC).
  • Root Certifying Authority of India (RCAI): the trust anchor whose self-signed root certificate signs the certificates of every licensed CA; the root private key is held in the CCA's secure facility.
  • Certifying Authority (CA): a licensed entity (e.g. eMudhra, (n)Code Solutions, Capricorn, Sify, Vsign, IDSign, ProDigiSign, XtraTrust, National Informatics Centre CA) that issues Digital Signature Certificates to subscribers after identity verification.
  • eSign Service Provider (ESP): a licensed CA (or an entity operating under a CA) that offers the online eSign service, generating a signature on the fly using a key pair created and destroyed within a single transaction after Aadhaar or PAN/organisational e-authentication.
  • Application Service Provider (ASP): an organisation that integrates the eSign API into its own application to obtain signatures from its users (e.g. a bank, insurer, or fintech).
  • Registration Authority (RA): a delegate of a CA that performs identity verification and enrolment of subscribers.
  • Subscriber / signer: the individual or organisation whose identity is bound to the certificate and whose private key creates the signature.
  • Relying party: any party that verifies and depends upon a digital signature or eSign.

Digital Signature Certificate vs eSign

A traditional Digital Signature Certificate (DSC) binds a long-lived key pair to a subscriber; the private key is held by the subscriber on secure hardware (a FIPS 140-2 Level 2/3 crypto token or HSM) and is used repeatedly. The eSign online service, by contrast, creates a short-lived (ephemeral) key pair inside the ESP's HSM at the moment of signing, authenticates the signer through Aadhaar eKYC (OTP, biometric, or offline XML) or through PAN/organisational KYC, applies the signature to the document hash, and then destroys the private key. eSign therefore removes the need for the signer to possess a crypto token, at the cost of a stronger real-time authentication and audit requirement on the ESP.

Who must comply

The obligation to be audited under the CCA scheme applies to every layer of the trust chain, but the depth of the audit varies by role. The table below summarises the applicability.

Entity typeNature of obligationAudit trigger and frequency
Certifying Authority (CA)Full licence conditions under IT Act s.21-34, CA Rules, India PKI CP/CPSPre-licence audit; annual compliance audit by CCA-empanelled auditor; ad-hoc audit on incident or complaint
eSign Service Provider (ESP)e-authentication guidelines, eSign API spec, ESP CPSOnboarding audit before go-live; annual audit; audit on major change to system
Application Service Provider (ASP)Contractual and API-integration obligations; consent, logging, DPDPDue diligence by ESP; ESP-driven periodic review; DPDP Act compliance
Registration Authority (RA)Identity verification and enrolment controls delegated by CACovered within the CA's audit scope and the CA's oversight of RAs
Time Stamping Authority (TSA)CCA TSA guidelines, RFC 3161, secure time sourceAudit as part of, or aligned to, CA audit criteria
Government / enterprise relying partiesSignature verification, revocation checking, archivalInternal assurance; sectoral regulator audits (RBI, IRDAI, SEBI) where applicable
Trust Service / e-Sign integrators and product vendorsConformance to interoperability and eSign API specificationsInteroperability testing with CCA; ESP acceptance testing

Structure of the CCA / eSign audit scheme

The audit scheme is organised into control domains that mirror the lifecycle of a certification service: legal and licensing, governance and policy, physical and environmental, cryptographic and key management, certificate lifecycle, the eSign online service, identity and e-authentication, logging and audit trails, interoperability, business continuity, and privacy/data protection. The table below maps the domains to their principal source instruments and representative control identifiers used in the CCA audit criteria and India PKI CP.

DomainScopePrimary source instrument
D1 Legal & LicensingLicence validity, cross-certification, RCAI chaining, statutory noticesIT Act 2000 s.21-26; CA Rules 2000
D2 Governance, Policy & CPSCertificate Policy, Certification Practice Statement, roles, change controlIndia PKI CP; RFC 3647 CPS framework
D3 Physical & Environmental SecuritySecure facility, tiered zones, access control, power, fireCA Rules Schedule; India PKI CP s.5
D4 Cryptographic & Key ManagementHSM/FIPS levels, key generation, ceremony, escrow prohibition, algorithmsIndia PKI CP s.6; Interoperability Guidelines
D5 Certificate LifecycleEnrolment, issuance, renewal, revocation, CRL/OCSP, repositoryIndia PKI CP s.3-4; CA Rules
D6 eSign Online ServiceEphemeral key, on-the-fly signing, ESP CPS, transaction integritye-authentication guidelines; eSign API v2.x/3.x
D7 Identity & e-AuthenticationAadhaar eKYC (OTP/bio/offline), PAN/org KYC, IAL/AAL mappingUIDAI eKYC; eSign e-auth classes
D8 Logging, Audit Trail & MonitoringImmutable logs, retention, time sync, SOC monitoringIndia PKI CP s.5.4-5.5
D9 Interoperability & ConformanceCertificate profile, IGDG guidelines, CRL/OCSP profilesCCA Interoperability Guidelines
D10 Business Continuity & IncidentBCP/DR, compromise recovery, key ceremony recovery, incident responseIndia PKI CP s.5.7
D11 Privacy & Data ProtectionPersonal data handling, DPDP Act 2023, Aadhaar data protectionDPDP Act 2023; UIDAI regulations
D12 Time StampingTrusted timestamp, RFC 3161, secure time sourceCCA TSA guidelines

Master assessment checklist

This is the operative heart of the audit. Below, each control domain is expanded with a table of what the auditor must verify and the typical evidence that satisfies each requirement. Implementers should treat the right-hand column as their deliverable list. No control area is omitted.

D1 — Legal, Licensing and Trust-Chain Controls

What to verifyTypical evidence
CA holds a valid, unexpired licence granted by the CCA under IT Act s.21Licence certificate, licence number, validity dates, CCA grant letter
CA certificate is chained to and signed by RCAI; correct path validationCertificate chain export, RCAI signature verification, path build test
Cross-certification and sub-CA relationships are authorised and documentedCross-cert agreements, CCA approvals, sub-CA certificate policies
Statutory notices, disclosures and subscriber agreements meet CA RulesSubscriber agreement templates, relying-party agreement, disclosure record
Suspension/revocation of licence conditions and surrender procedures definedWind-down plan, key destruction plan, subscriber notification procedure

D2 — Governance, Certificate Policy and CPS

What to verifyTypical evidence
Published Certification Practice Statement conforms to RFC 3647 structure and India PKI CPCurrent CPS document, version history, CCA acknowledgement
CP/CPS covers all certificate classes issued (individual, organisational, document signer, device, SSL where applicable)Certificate class matrix mapped to CP OIDs
Policy Management Authority / governance body defined with meeting cadencePMA charter, minutes, approval records
Segregation of trusted roles (CA admin, RA officer, auditor, operator, security officer)Role definition document, dual-control matrix, no-toxic-combination evidence
Change management, version control and CCA notification for material changesChange log, CAB minutes, CCA change notifications
Documented compliance obligations for the DPDP Act 2023 and IT Act referencedCompliance register, legal sign-off

D3 — Physical and Environmental Security

What to verifyTypical evidence
Tiered secure zones (public, operations, high-security/HSM room) with escalating controlsSite plan, zone map, security architecture document
Multi-factor and dual-person access control to the high-security zoneAccess control logs, biometric enrolment, two-person integrity records
24x7 CCTV coverage with retention meeting policy, and intrusion detectionCCTV footage retention config, IDS logs, alarm test records
Environmental controls: redundant power/UPS, HVAC, fire suppression, water sensorsMaintenance logs, UPS test, fire drill records, sensor calibration
Media handling, secure storage of backup keys, and offsite vaultingMedia inventory, safe/vault logs, offsite transport records
Visitor management and escort policy for the secure facilityVisitor register, escort logs, badge issuance records

D4 — Cryptographic and Key Management Controls

What to verifyTypical evidence
CA and RCAI signing keys generated and stored in FIPS 140-2 Level 3 (or higher) HSMsHSM model/FIPS certificate, key generation attestation
Formal, scripted, witnessed key generation ceremony with independent auditor presentKey ceremony script, signed attestation, video record, IV notes
Approved algorithms and key sizes (RSA 2048/3072, ECC P-256/P-384, SHA-256 hashing)Certificate parameters, algorithm policy, deprecation plan for SHA-1
Private key never exported in clear; no key escrow of signing keysHSM export policy, ceremony logs, CPS statement of no-escrow
Key backup under M-of-N control (split knowledge, dual control)Key share custodian records, M-of-N scheme, secret-share ceremony log
Key activation, deactivation, destruction and end-of-life proceduresActivation data policy, destruction certificates, HSM zeroisation logs
Subscriber key protection: DSC keys on FIPS 140-2 L2/L3 tokens; eSign keys ephemeral in HSMToken FIPS certificates, eSign HSM ephemeral-key attestation
Cryptoperiod defined for CA keys and enforced with rollover planningCryptoperiod schedule, key rollover runbook

D5 — Certificate Lifecycle Management

What to verifyTypical evidence
Subscriber enrolment includes verified identity per India PKI CP identity classesEnrolment records, verified ID documents, RA verification logs
Certificate request, validation and issuance workflow with dual controlIssuance workflow, approval logs, four-eyes evidence
Certificate profile conforms to CCA interoperability certificate profile (fields, extensions, OIDs)Sample certificates parsed, profile conformance report
Renewal, re-key and modification procedures with re-verification of identityRenewal records, re-key policy, re-verification evidence
Revocation on compromise/request within defined SLA; CRL issued at required intervalRevocation requests, CRL issuance timestamps, SLA metrics
OCSP responder available, signed, and returns correct statusOCSP endpoint test, responder certificate, status query logs
Public repository (directory / NRDC feed) publishes certificates and CRLsRepository availability logs, publication records
Certificate serial numbers unique and unpredictable; no re-useSerial-number generation logic review, uniqueness test

D6 — eSign Online Electronic Signature Service

What to verifyTypical evidence
ESP CPS approved and eSign service operated per e-authentication guidelinesESP CPS, CCA approval, service description
Ephemeral key pair generated inside HSM per transaction and destroyed after signingHSM logs of key create/destroy events, transaction correlation IDs
Only the document hash is transmitted to the ESP; document content never leaves ASP unnecessarilyAPI request/response captures, data-flow diagram, hash-only proof
eSign API version (v2.1 / v3.x as applicable) implemented correctly incl. XML signatureAPI conformance test results, sample signed responses
Signature applied is a valid PKCS#7/CMS or PAdES structure with correct signer certificateSigned PDF/CMS parsed, PAdES/LTV validation report
Transaction response includes signer KYC binding and audit referenceeSign response XML, KYC hash, transaction ID mapping
ASP onboarding, contract, and per-transaction consent captured and loggedASP agreements, consent artefacts, consent audit trail
Rate limiting, replay protection and message integrity on the eSign APIWAF/API gateway config, nonce/timestamp validation, TLS config

D7 — Identity and e-Authentication (Assurance Levels)

The eSign scheme defines e-authentication classes analogous to identity and authentication assurance levels. Aadhaar-OTP, Aadhaar-biometric, Aadhaar-offline-XML, and PAN/organisational KYC each carry a different assurance weight. Auditors must confirm that the assurance level asserted in the certificate/response matches the actual authentication performed.

What to verifyTypical evidence
Authentication method (OTP / fingerprint / iris / offline XML / PAN-org KYC) recorded per transactionAuthentication logs, UIDAI auth response codes, method flag in eSign response
Aadhaar eKYC performed via licensed KUA/AUA channel with valid licence keyUIDAI KUA/AUA licence, eKYC response, encrypted PID block handling
Biometric class used for higher-assurance signing where mandated; OTP for lower-assuranceClass-to-use-case mapping, sectoral requirement mapping
Consent and purpose captured before eKYC per UIDAI and DPDP requirementsConsent screen artefacts, consent logs, purpose declaration
Aadhaar number not stored in clear; only reference/token (VID/reference key) retainedData-at-rest review, tokenisation evidence, no-Aadhaar-storage attestation
Assurance level asserted in signature matches authentication actually performedCross-check of response class vs auth method logs

D8 — Logging, Audit Trail and Monitoring

What to verifyTypical evidence
All security-significant events logged: key ops, issuance, revocation, access, eSign transactionsLog schema, sample logs, event catalogue
Logs are tamper-evident/immutable (WORM, hashing, or signed log chains)Log integrity mechanism, hash-chain verification, WORM config
Log retention meets India PKI CP / CA Rules retention period (typically 7 years / life of cert +)Retention policy, archival index, retrieval test
Accurate, synchronised time via NTP to a trusted source across all systemsNTP config, time-drift monitoring, TSA time source
Security monitoring / SOC with alerting on anomalous access and failed authSIEM use-cases, alert records, SOC runbook
Regular independent review of audit logs by security officerLog-review sign-offs, review cadence records

D9 — Interoperability and Conformance

What to verifyTypical evidence
Certificate, CRL and OCSP profiles conform to CCA Interoperability GuidelinesProfile conformance test report, parsed samples
Signed documents validate in reference verifiers and third-party CA-agnostic toolsCross-validation report, verification screenshots/logs
Interoperability testing with CCA completed for new/updated systemsCCA interop test certificate/sign-off
Long-term validation (LTV) and archival timestamp support for PAdES/CAdESLTV validation output, DSS/VRI presence check
Support for required signature policies and document formats (PDF, XML/DSC, CMS)Format support matrix, signed sample set

D10 — Business Continuity, DR and Incident Response

What to verifyTypical evidence
Documented and tested BCP/DR with defined RTO/RPO for CA and eSign servicesBCP/DR plan, DR test report, RTO/RPO metrics
CA key compromise recovery plan including revocation, re-key, subscriber notificationCompromise runbook, tabletop exercise records
Redundant HSMs and geographically separated DR site with key material replication controlsDR architecture, HSM replication policy, failover test
Incident response plan aligned to IT Act reporting and CERT-In directions (six-hour reporting)IRP document, CERT-In reporting template, past incident records
Backup and restore of CA database, certificates and logs tested periodicallyBackup schedule, restore test evidence

D11 — Privacy and Data Protection

What to verifyTypical evidence
Personal data processing meets DPDP Act 2023: notice, consent, purpose limitationPrivacy notice, consent records, DPDP compliance register
Aadhaar data handled per UIDAI regulations; PID blocks encrypted end-to-endEncryption evidence, UIDAI compliance attestation
Data retention and deletion schedule for personal and KYC dataRetention/deletion policy, deletion logs
Data breach notification process to Data Protection Board and affected personsBreach notification procedure, contact register
Third-party/ASP data-sharing governed by contract and data-processing termsDPAs, sub-processor register

D12 — Time Stamping

What to verifyTypical evidence
Timestamp tokens conform to RFC 3161 and CCA TSA guidelinesSample TST parsed, TSA policy OID check
TSA time synchronised to a trusted/traceable time source with drift monitoringTime source documentation, drift logs, calibration record
TSA signing key protected in HSM with cryptoperiod and rolloverHSM attestation, TSA key policy
Timestamps embedded in signatures support long-term validationLTV/archival timestamp presence in sample signatures

Scoping the audit

Scoping determines which domains, systems, and locations fall inside the audit boundary. A precise scope statement prevents both over-auditing (wasted effort) and under-auditing (findings gaps that invalidate the assurance). Scope is driven by the entity's role and the services in production.

  • Role determination: is the entity a CA, an ESP, an ASP, an RA, or a TSA? Each role activates a different subset of domains D1-D12.
  • Service inventory: which certificate classes and which eSign authentication classes (Aadhaar OTP/bio/offline, PAN/org) are live? Only in-scope services are tested.
  • System boundary: CA management systems, HSMs, RA workstations, eSign gateway, eKYC connectors, repository/OCSP, SIEM, and backup/DR sites.
  • Location boundary: primary data centre, DR site, offsite key vault, and RA offices performing identity verification.
  • Interfaces: eSign API to ASPs, UIDAI/PAN KYC connectors, and the RCAI chaining interface to the CCA.
  • Data classification: personal data, Aadhaar/KYC data, private keys, and audit logs — each attracts specific controls.
  • Exclusions: any decommissioned service or non-production environment must be explicitly excluded and justified in the scope statement.

Implementation approach (phased)

For an implementer standing up or remediating a CA/ESP capability, the following phased approach sequences the work so that governance and cryptographic foundations precede service go-live and audit.

Phase 1 — Discovery and Gap Assessment

  • Activities: confirm role, map current state to D1-D12, review existing CP/CPS, inventory HSMs and systems, run a control-by-control gap analysis against the CCA audit criteria.
  • Deliverables: scope statement, gap register with severity, remediation roadmap, licence/role confirmation.

Phase 2 — Policy, Governance and CPS

  • Activities: author/update the Certificate Policy and CPS to RFC 3647, define trusted roles and segregation, establish the Policy Management Authority, build the change-management process, and align to DPDP Act.
  • Deliverables: approved CP/CPS, role matrix, PMA charter, policy suite, compliance register.

Phase 3 — Cryptographic and Infrastructure Build

  • Activities: procure and configure FIPS 140-2 L3 HSMs, design tiered secure facility, run the witnessed key generation ceremony, implement CA/eSign software, and configure repository/CRL/OCSP.
  • Deliverables: key ceremony records, HSM attestations, hardened infrastructure, secure facility, certificate profiles.

Phase 4 — eSign and e-Authentication Integration

  • Activities: integrate eSign API and eKYC (KUA/AUA) channels, implement ephemeral-key signing, consent capture, PAdES/CMS output, replay protection, and ASP onboarding workflow.
  • Deliverables: eSign gateway, API conformance results, consent artefacts, ASP agreements, signed sample set.

Phase 5 — Logging, Monitoring and Continuity

  • Activities: deploy tamper-evident logging, SIEM/SOC use-cases, NTP time sync, BCP/DR, incident response aligned to CERT-In, and backup/restore testing.
  • Deliverables: immutable log pipeline, SOC runbook, tested DR, IRP, backup evidence.

Phase 6 — Interoperability, Audit and Go-Live

  • Activities: complete CCA interoperability testing, engage the CCA-empanelled auditor, remediate findings, and secure go-live / licence approval.
  • Deliverables: interop sign-off, audit report, remediation closure evidence, go-live approval.

Maturity and capability scoring model

While the CCA audit is fundamentally a pass/comply assessment against mandatory criteria, a maturity model is useful for tracking readiness and continuous improvement between mandatory audits. The following five-level model helps implementers and auditors gauge control maturity per domain.

LevelNameDescriptionTypical indicator
L0AbsentControl not present or not documentedNo CPS, no HSM, ad-hoc issuance
L1InitialControl exists informally, inconsistent executionDraft CPS, single-person key control, manual logs
L2DefinedControl documented and repeatable across the teamApproved CPS, dual control, standard runbooks
L3ManagedControl measured, evidenced, and reviewed periodicallyKPIs tracked, log reviews, tested DR
L4OptimisedControl automated, continuously monitored, and improvedAutomated CRL/OCSP, SIEM correlation, key rollover automation

For a CCA audit pass, every mandatory control area must reach at least L2 (Defined) with objective evidence; high-risk cryptographic and eSign controls (D4, D6, D7) should reach L3 (Managed) or higher.

Assessment and audit approach

  1. Engagement and scoping: confirm entity role, agree the scope statement, and identify the applicable domains and control identifiers.
  2. Document review: obtain and review CP/CPS, policies, licence, key ceremony records, and prior audit reports.
  3. Control walkthrough: interview trusted-role holders and walk through certificate issuance, revocation, and an eSign transaction end to end.
  4. Technical testing: parse sample certificates/CRLs/OCSP, validate signed documents, inspect HSM configuration, and test eSign API conformance.
  5. Sampling: select a statistically defensible sample of issuance, revocation, and eSign transactions for evidence verification.
  6. Physical inspection: inspect the secure facility, HSM room, access controls, CCTV, and environmental systems.
  7. Log and audit-trail review: verify immutability, retention, time sync, and completeness of security events.
  8. Gap and finding classification: rate each finding as critical, major, or minor against the mandatory criteria.
  9. Remediation and re-test: agree corrective actions, timelines, and re-test closed findings before sign-off.
  10. Reporting and attestation: issue the audit report to the entity and, where required, to the CCA, with the auditor's attestation.

Evidence request list

The following categorised list is what an auditor will request up front and what an implementer should assemble as an evidence pack.

Legal and governance evidence

  • Valid CCA licence, RCAI chaining proof, and cross-certification approvals
  • Current CP and CPS with version history and PMA minutes
  • Trusted-role matrix and segregation-of-duties documentation
  • DPDP Act and IT Act compliance register and legal sign-offs

Cryptographic and infrastructure evidence

  • HSM FIPS 140-2 certificates and key generation ceremony records
  • M-of-N key custodian records and key destruction certificates
  • Algorithm and cryptoperiod policy with rollover plans
  • Secure facility site plan, access logs, CCTV and environmental records

Certificate and eSign operations evidence

  • Sample certificates, CRLs, OCSP responses and profile conformance reports
  • eSign API conformance results and signed sample documents (PAdES/CMS)
  • eKYC/authentication logs, consent artefacts, and ASP agreements
  • Revocation records with SLA metrics and repository publication logs

Monitoring, continuity and privacy evidence

  • Immutable log samples, retention policy, and NTP/time-sync configuration
  • SIEM/SOC use-cases, alert records, and log-review sign-offs
  • BCP/DR plan, DR test report, and incident response records
  • Privacy notices, consent logs, and data deletion/retention evidence

Roles and responsibilities

RoleResponsibilitySegregation note
CA AdministratorManages CA software, issuance policy, and certificate profilesMust not hold RA verification or audit-log review rights
Security Officer / CISOOwns security policy, key ceremony oversight, and log reviewIndependent of day-to-day issuance operations
Registration Authority OfficerVerifies subscriber identity and approves enrolmentCannot self-approve or issue certificates directly
HSM / Key CustodianHolds M-of-N key shares and participates in ceremoniesMultiple custodians; no single person holds threshold
eSign Operations LeadRuns eSign gateway, ASP onboarding, and eKYC connectorsSeparated from certificate revocation authority
Internal AuditorReviews controls and prepares for the empanelled auditIndependent of operational teams being audited
CCA-Empanelled AuditorPerforms the statutory compliance audit and attestationExternal and independent of the entity
Data Protection OfficerOwns DPDP compliance, consent, and breach notificationAdvisory and oversight, not operational key control

KPIs to track

  • Certificate revocation SLA adherence (percentage revoked within the mandated window)
  • CRL issuance timeliness and OCSP responder availability (uptime percentage)
  • eSign transaction success rate and failed-authentication rate by class
  • Mean time to detect and respond to security incidents
  • Percentage of eSign transactions with complete consent and audit trail
  • Key ceremony and HSM health check completion against schedule
  • Number of audit findings by severity and time-to-close remediation
  • DR test success rate against defined RTO/RPO
  • Log integrity verification pass rate and retention compliance
  • Interoperability validation pass rate for issued certificates and signatures

Readiness checklist

  • Valid CCA licence and RCAI chaining verified
  • CP and CPS published, current, and RFC 3647 conformant
  • Trusted roles defined with enforced segregation of duties
  • FIPS 140-2 Level 3 HSMs in production with witnessed key ceremony records
  • M-of-N key custody and documented key destruction procedures in place
  • Certificate profiles conform to CCA interoperability guidelines
  • CRL issued on schedule and OCSP responder live and correct
  • eSign ephemeral-key signing verified with per-transaction key destruction logs
  • eKYC via licensed KUA/AUA with consent capture and no Aadhaar-in-clear storage
  • Assurance level asserted matches authentication method performed
  • Tamper-evident logging with policy-compliant retention and NTP time sync
  • Secure facility zones, access control, CCTV, and environmental controls operational
  • BCP/DR tested against RTO/RPO and key-compromise recovery runbook exercised
  • Incident response aligned to CERT-In six-hour reporting
  • DPDP Act consent, notice, retention, and breach processes implemented
  • Interoperability testing with CCA completed and signed off
  • Evidence pack assembled and prior audit findings closed

Common gaps

  • CPS out of date or not fully aligned to the current India PKI CP and interoperability guidelines.
  • Single-person control over HSM activation or key shares, breaching M-of-N and segregation requirements.
  • eSign key-destruction events not conclusively logged, leaving doubt over ephemeral-key handling.
  • Aadhaar or KYC data stored in clear or retained beyond the permitted period.
  • Assurance level asserted in the signature not matching the actual authentication method used.
  • CRL issuance delays or OCSP responder outages breaching availability expectations.
  • Certificate profile deviations (missing extensions or wrong OIDs) failing interoperability validation.
  • Audit logs not tamper-evident, or retention below the mandated period.
  • Time synchronisation drift undermining timestamp and audit-trail reliability.
  • BCP/DR untested, or key-compromise recovery plan absent or unexercised.
  • Consent artefacts for eKYC and eSign incomplete or not linked to the transaction.
  • Incident response not aligned to CERT-In reporting timelines and DPDP breach notification.

CCA / eSign mapped to other frameworks

CA/ESP operators frequently need to demonstrate compliance across multiple regimes. The table maps CCA / eSign control areas to related frameworks so that evidence can be reused.

CCA / eSign domainISO/IEC 27001WebTrust for CA / ETSINIST 800-63 / SP 800-57
Governance, CP/CPS (D2)A.5 Organisational controlsWebTrust Principle: Business Practices; ETSI EN 319 401800-63A identity governance
Cryptographic & key mgmt (D4)A.8 Cryptography controlsWebTrust Key Lifecycle; ETSI EN 319 411SP 800-57 key management
Certificate lifecycle (D5)A.8 Technological controlsWebTrust CA Environmental/CP; ETSI EN 319 411-1800-63 credential lifecycle
eSign & e-authentication (D6/D7)A.8 Authentication controlsETSI EN 319 421/422 (signing/TSA)800-63 IAL/AAL/FAL assurance
Physical security (D3)A.7 Physical controlsWebTrust Physical SecuritySP 800-53 PE family
Logging & monitoring (D8)A.8 Logging & monitoringWebTrust Monitoring; ETSI audit logsSP 800-92 log management
Continuity & incident (D10)A.5.29 / A.5.30 continuityWebTrust Disaster RecoverySP 800-34 contingency planning
Privacy & data protection (D11)A.5.34 privacy; ISO 27701ETSI privacy requirementsNIST Privacy Framework
How CyberSigma helps
CyberSigma is a CERT-In empanelled auditor with deep PKI, eSign, and eKYC assurance experience. We take CA operators, eSign Service Providers, and ASP integrators from gap assessment to CCA audit readiness and beyond: mapping your current state to all twelve control domains, authoring or refreshing your CP/CPS to the India PKI CP and RFC 3647, running witnessed HSM key ceremonies, validating certificate and signature profiles against the CCA interoperability guidelines, hardening your eSign ephemeral-key and eKYC consent flows for DPDP alignment, and preparing a complete evidence pack for the empanelled audit. Whether you are launching a new certification service or remediating findings before your annual audit, CyberSigma delivers auditor-grade rigour with an implementer's pragmatism. Contact us to scope your CCA / eSign / Digital Signature audit engagement.

Frequently asked questions

Who regulates digital signatures in India?
The Controller of Certifying Authorities (CCA) under MeitY licenses and audits Certifying Authorities and the eSign ecosystem under the IT Act.
Official documents

Need help with CCA / eSign?

CERT-In empanelled, PCI QSA senior auditors can take you from reading about it to compliant — with a scoped, guided programme.