emCA Certificate Manager
The Streamlined and Secure PKI Solution
Current Verson: emCA V4.3.1
Release Date: 30/05/2025
Introduction
emCA, an integrated certificate management solution with a web interface that automates requesting, approving, issuing, and renewing certificates. By reducing manual tasks, it helps organizations enforce consistent certificate policies and decreases the administrative effort required for lifecycle management.
Summary
Public Key Infrastructure (PKI) is a framework for secure digital communication and data exchange. Within this ecosystem, an essential component is the issuance of digital certificates which validate the identity of entities involved in online transactions. emCA (eMudhra Certificate Authority), an enterprise-grade PKI solution, is a centralized certificate management system. It handles certificate issuance, distribution, renewal, and revocation centrally.
emCA issues certificates containing public keys and identity information. Relying parties use these certificates to verify identities in online transactions. It uses cryptographic algorithms to protect data integrity and confidentiality.
emCA records certificate operations and maintains compliance with industry standards and regulations. It supports audit requirements and external reviews. It can be deployed in finance, healthcare, and government sectors.
emCA includes a web interface and automation features for certificate workflows. It provides tools for monitoring certificate status and performing lifecycle operations.
Technical Highlights
Designed for Scalability
emCA connects to existing IT environments via standard protocols and supports both on-premises and cloud deployments.
Management Tools
emCA management tools enable administrators to monitor certificate status and carry out lifecycle operations, such as issuance, renewal, revocation and expiration. Audit logs and reporting functions record each action for compliance and review.
CA Supporting Modules emCA includes modules for Online Certificate Status Protocol (OCSP), timestamping, and Registration Authority (RA) operations. Each module integrates with the core certificate-issuance engine under a unified platform.
PKI Framework Integration emCA integrates with public key infrastructures via standard protocols and includes:
EAL 4+ Common Criteria Certification emCA has been evaluated at Evaluation Assurance Level 4+ under the Common Criteria standard (ISO/IEC 15408), confirming conformity to defined assurance requirements.
Post-Quantum Cryptography Support emCA can issue certificates using NIST-approved post-quantum algorithms (for example, Dilithium, Falcon, Sphincs+), enabling deployment of quantum-resistant key pairs.
RA Integration, Migration & Compliance
emCA simplifies RA integration, migration of existing certificate infrastructures, and maintains compliance with WebTrust standards.
RA Integration
Integrates with Registration Authority systems via REST APIs and LDAP to automate certificate request submission and approval.
Migration Tools
Supports migration of existing certificate inventories, CA hierarchies, and policy configurations using import utilities and guided wizards with minimal service interruption.
Compliance
Aligns with WebTrust and CA/B Forum compliance for Certification Authorities by generating audit logs and operational controls for external audits and regulatory reviews.
IoT and Remote Signing Support
IoT Certificate Issuance Issues certificates for Internet of Things devices via standard enrolment protocols (for example, SCEP and EST), enabling secure device authentication and communications.
ETSI-Compliant Remote Signing Supports ETSI-compliant remote signing for both short-lived and long-lived key pairs, in line with digital-signature workflows and mobile-authentication requirements.
Key Features
Hierarchy and Policy Management
Manages root, subordinate, and issuing CAs in one system, each with independent policy sets.
Defines certificate/CRL formats, validity rules, revocation methods (OCSP, CRL, delta-CRL), distribution points, and key usages per profile.
Certificate Types
Device certificates for machines and IoT devices.
SSL/TLS certificates for web‐server encryption.
Code‐signing certificates for software integrity.
S/MIME email certificates for message encryption and signing.
Client certificates for application and service authentication.
Document‐signing certificates for electronic documents.
Extended‐Validation (EV) certificates under CAB Forum requirements.
EMV certificates for payment‐card security.
CVC certificates for card verification codes.
Certificate Transparency
Publishes certificate entries to trusted logs per RFC 6962.
Embeds Signed Certificate Timestamps (SCTs) in issued certificates.
Algorithm Support
Traditional: DSA, RSA, ECC (secp-192/256/384/521; brainpool curves; prime224v1; Ed25519), SHA-2 family.
Post-Quantum: NIST-approved schemes (CRYSTALS-Dilithium2/3/5; Falcon-512/1024; SPHINCS+).
Protocol Support
SCEP, CMP, ACME, EST for automated enrolment and renewal.
SOAP and REST APIs for certificate requests, renewals, revocations, and status checks.
Integration and Interfaces
LDAP: Active Directory and OpenLDAP integration; automated distribution of certificates and CRLs; LDIF export; LDAP v3 compliance (RFC 4519, RFC 4524).
SAML: Single Sign-On support via existing SAML-based IAM systems.
OID Management: Predefined and custom OIDs for subject attributes (e.g., Country, Organization, Common Name, Serial Number).
Stand-Alone Utilities
Root CA Offline: Desktop utility compatible with TEMPEST-rated machines.
API Gateway: Secure, signed, and encrypted SOAP/REST interfaces for third-party integration (for example, sign servers and eMudhra portals).
Localization
Supports multi-language certificate values and mixed-language subject fields.
Authentication Controls
Enforces digital-signature certificates on FIPS-certified tokens for administrator access.
Integrates with external MFA systems (for example, Active Directory, IDAM).
How emCA works?
emCA is implemented in Java and runs on any JVM-compatible environment. It is hardware-agnostic and no dependencies on a specific server or appliance.
Core Components
Application Engine Deployed as a standalone WAR/EAR in any Java EE container.
Persistence Layer Stores certificates, policies, and audit records in a relational database (for example, PostgreSQL or MySQL).
Cryptographic Module Integrates with any FIPS-compliant HSM via PKCS#11 or uses a software keystore for key storage.
APIs REST endpoints for automated certificate requests, renewals, revocations, and status checks.
Integrations
Directory Services Connects to LDAP systems (for example, Active Directory, OpenLDAP) for user and RA data.
External CAs Supports chaining to external root CAs and cross-certification workflows.
Logging & Audit Writes compliance logs to both database and filesystem for external review.
Deployment Modes
Standalone Single-node installation for small-scale or test environments.
Clustered Multi-node setup, load-balanced, and fail-over capable for high availability.
Licensing
emCA is available under different license models tailored to deployment and usage requirements:
Perpetual License One-time purchase for on-premises installation. Includes an initial 12-month maintenance and support terms, annual renewals available thereafter.
Instance-Based License
Priced by the total number of emCA application instances deployed, regardless of issuance volume.
Subscription License Term-based (annual or multi-year) license covering software use, updates, and support. Scales by number of CAs or certificate-issuance volume.
Capacity-Based License Tiered by certificate-issuance throughput (for example, Certificate per year). Allows alignment of licensing costs with operational demands.
Managed-Service License Hosted deployment under a service-level agreement. Covers software, infrastructure, and managed support.
Licenses are issued with defined expiration dates and must be renewed prior to expiry to maintain uninterrupted operation and access to updates. License entitlements, such as feature bundles and support levels vary by model and tier.
Use Cases
emCA supports a wide range of use cases for diverse applications and industries. Here are a few typical emCA use cases.
National PKI
CA Hierarchy Deployment
Configure root, subordinate, and issuing CAs with emCA’s CA setup tools
Define and publish Certificate Policy and Practice Statement (CP/CPS)
RA Management
Verify entity identities via the RA module
Automate certificate request approvals
Key Management & Distribution
Generate, store, and distribute cryptographic keys
Issue certificates over secure channels or hardware tokens
Regulatory Compliance
Enforce legal and regulatory frameworks via policy controls
Support audit and incident-response planning
EMV Payment-Card PKI
Certificate Lifecycle
Issue, renew, and revoke EMV certificates for cards and terminals
Maintain audit logs and reporting for PCI DSS compliance
Transaction Security
Enable card and terminal authentication
Support offline transactions with signed data
ePassport PKI
Basic Access Control (BAC)
Manage Country Signing Certificate Authority (CSCA) and Document Signers
Issue certificates for chip data signing
Extended Access Control (EAC)
Configure Card Verifiable Certificate Authority (CVCA) and DVCAs
Issue terminal and verifier certificates
Smart-Device PKI (Energy Sector)
Enrolment & Issuance
Enroll smart meters and IoT devices via REST/SCEP requests
Bind device identifiers to public keys in issued certificates
Trust & Data Security
Establish trust between devices and central systems
Sign and encrypt meter data for transmission
Industrial IoT Security
Large-Scale Certificate Management
Automate issuance, renewal, suspension, and revocation at scale
Support REST, SOAP[R1] , SCEP, and SAML for device workflows
Security Controls
Apply PKI-based encryption and digital signatures
Align device-identity policies with organizational standards
EAL 4+ Certification
EAL 4+ Functionalities in emCA
Access Control Enforces role-based policies for administrative and operator functions.
Auditability Records security-relevant events for review and compliance.
Data Protection Applies approved cryptographic measures to data at rest and in transit.
System Integrity Validates tamper resistance of code and configurations.
Secure Communications Uses encrypted channels for all management interfaces.
Authentication Requires multi-factor methods for administrator access.
Security Function Reliability Verifies feature execution under defined test conditions.
Lifecycle Management Follows defined processes for updates, patches, and re-evaluation.
References
Scheme: Singapore Common Criteria Scheme (SCCS; EAL4+ ALC_FLR.2) Cyber Security Agency of Singapore.
Validity: 11 Feb 2022 – 11 Feb 2027 Cyber Security Agency of Singapore.
Last updated