SSL Certificates

Whether all CAs issue SSL certificates?

It is mandated that for issuance of SSL certificates, CA should have a separate offline CA system dedicated for that purpose. Only CAs who are having such a setup will be allowed to issue SSL certificates. The list of CAs issuing SSL certificates can be seen at http://cca.gov.in/CAServicesOverview.html.

What are the auditing requirements for CA issuing SSL certificates?

CA should have independent Offline CA systems for issuance of SSL certificates. Apart from the auditing requirements under the Information Technology ACT, additional auditing requirements are specified in line with CA Browser Forum Auditing requirements. These are audited by the auditors empanelled by CCA.

What are the key escrow arrangements for encryption keys of subscriber?

The encryption key should be kept by subscriber. The subscriber should also make arrangements for securely keeping a backup copy of encryption key.

Whether encryption certificate & keys can be retained by organisation upon the subscriber leaving the organisation?

The encryption certificate should be revoked. However the organisation should retain the encryption keys and associated certificate in order to decrypt the information which had been encrypted when the encryption certificate was valid.