Key Components

emCA suite has following Solution components

Certificate Manager - emCA

The Certificate Manager is the core component responsible for managing the entire lifecycle of digital certificates within an organization. It does the sensitive functionalities such as digital certificate generation, renewal, revocation, and overall maintenance.

Key Features:

• Role based access to the application

• Multi factor authentication for user login using token based certificates

• M out of N user control for separation of duties

• Supports SCEP, CMP, EST protocols – Automated Certificate issuance

• User and Group management (view, create, de-activate, renewal and delete)

• Encryption of sensitive data in the database using AES key stored in HSM

• Supports Certificate Transparency

• Signing of CSR generated by external entity

• Mapping of Groups to CA/Issuing CA for groupwise management of CAs.

• Support for Cross Certification

• Multi-HSM support with PKCS#11 compliant HSM

• OCSP certificates generation and management

• Support for Mobile PKI

User Enrollment - emRA

The user enrollment platform empowers organizations to oversee both certificate issuance and user KYC (Know Your Customer) information management. This includes handling demographic data, photos, identity and address proofs, along with organizational documentation. The platform offers configurability, allowing inclusion of supplementary information or documents for processing digital certificates. Comprising four decentralized portals, this solution can be flexibly deployed across diverse environments to align with the organization's specific needs.

emRA offers a admin portal interface that provides authorized personnel with the ability to view and monitor data across all Registration Authorities (RAs) from a single administrative dashboard. This view is tightly access-controlled, ensuring compliance with privacy and data protection policies.

emRA supports RA-wise logical data segregation. Each RA will have isolated access only to its own dataset, ensuring data confidentiality and adherence to regulatory requirements. No RA will have visibility into another RA's data.

emRA enforces strong authentication mechanisms including complex password policies and two-factor authentication (2FA) for all RA users. These security controls comply with industry standards and best practices to prevent unauthorized access and strengthen user identity verification.

Key Features

• Manage Registration Authority Officers with different levels and approval powers.

• Configure different certificate types and validity, as well as currencies.

• Create/Configure vetting profiles based on different criteria.

• Requests can have different verification checklist based on the criteria in vetting profiles.

• emRA captures and maintains all mandatory subscriber attributes as specified in the guidelines.

• Manage external RAs with multi-level organization, as well as multi-user configurations.

• Subscriber self-service for certificate management.

• Certificate Download module Integration for Email and Mobile validation

• Integration with Video Verification System for in-person verification.

• Supports Document upload based verifications Video recording system.

• emRA incorporates a role-based reporting , ensuring secure access to critical operational and compliance data:

• Super Admin Access: Full visibility into all reports and subscriber data across the system

• Periodic Reports: Auto-generated monthly and yearly reports detailing DSC issuance metrics.

• RA-Level Access Control: Registration Authorities (RA) are limited to view only their respective subscriber data, ensuring privacy and operational segmentation.

• RA Office-Wise Summary: Reports provide a breakdown of the number of DSCs issued per RA office, supporting operational oversight and audit readiness.

• emRA supports the paperless enrollment of DSC subscribers/users using eSign

• Provides a digitally enabled workflow for issuing DSCs. This includes digital signing, verification, and secure storage of subscriber request data in digital format for various use cases.

• The system automatically sends notifications to end users via email, SMS for key events, including:

  • Registration

  • Certificate generation and acceptance

  • Application rejection

  • Revocation and expiration of X.509 certificates

Online Certificate Status Protocol (OCSP)

Online Certificate Status Protocol (OCSP) is an Internet protocol that enables clients to verify the revocation status of X.509 digital certificates in real time. It has emerged as a more efficient and effective alternative to Certificate Revocation Lists (CRLs) due to its ability to provide up-to-date revocation information without the need for frequent downloads.

Key Features:

• OCSP Certificate Generation and Management Enables the issuance, renewal, and management of OCSP responder certificates in alignment with operational and compliance requirements.

• Standards-Compliant Response Generation Generates OCSP responses conforming to RFC 6960 and RFC 5019, while ensuring adherence to CA/Browser Forum requirements.

• Real-Time Certificate Status Verification Provides accurate, real-time revocation status of certificates by interfacing with the emCA backend.

• HSM-Based Key Management Supports secure storage and usage of OCSP responder signing key pairs within a Hardware Security Module (HSM).

• Whitelist Enforcement Mechanism Incorporates an optional whitelist check to validate OCSP responses only for authorized certificate serial numbers.

• Support for GET and POST Methods The OCSP capability supports both HTTP GET and POST methods for Digital Signature Certificates (DSC) and SSL certificates.

• Response Time Requirement Operates with a guaranteed OCSP response time of ten seconds or less under normal operating conditions.

• Trusted OCSP Responder Certification OCSP responses are signed by a responder whose certificate is issued by the same CA or its subordinate CA that issued the certificate in question.

• Compliance with Interoperability Guidelines The OCSP responder and subscriber certificates comply with the latest Interoperability Guidelines for Digital Signature Certificates under the Information Technology Act.

• Real-Time Record Availability and Archival OCSP records are retained and displayed in real-time for a minimum duration of one month, after which they are securely archived for future reference.

Overcoming the Limitations of CRLs

CRLs, the traditional method for certificate revocation, have inherent limitations that make them less suitable for modern digital environments. One major drawback is the need for clients to download the entire CRL file, which can be large and time-consuming, especially over low-bandwidth connections. Additionally, CRLs are inherently susceptible to delays in propagation, meaning that revoked certificates may still be accepted for a period of time until the CRL is updated.

Online Certificate Status Protocol (OCSP) Components

Online Certificate Status Protocol (OCSP) is an Internet protocol that enables clients to verify the revocation status of X.509 digital certificates in real time. It consists of two major components:

OCSP Client

The OCSP client is the software that initiates the revocation check by sending an OCSP request to an OCSP responder. The OCSP client typically resides on the machine that wants to verify the validity of a certificate. It receives the OCSP response from the OCSP responder and interprets the response to determine whether the certificate is valid or revoked.

OCSP Responder

The OCSP responder is the server that receives OCSP requests and provides revocation information. It is typically hosted by the Certificate Authority (CA) that issued the certificate. The OCSP responder verifies the request, checks the revocation status of the certificate, and sends a signed response back to the OCSP client.

How OCSP Works in emCA?

1. The authenticating client or OCSP client (i.e. browser) sends an OCSP request to the OCSP wrapper.

2. OCSP wrapper sends the request to OCSP core or responder (server).

3. The responder verifies the request and returns an authentic, digitally signed response indicating the certificate status response containing the status (good, revoked or unknown) to the client.

A good response will indicate the certificate is valid and not revoked. A ‘revoked’ status will indicate the certificate has been revoked.

Integration of OCSP with HSM

The Online Certificate Status Protocol (OCSP) system is integrated with Hardware Security Modules (HSMs) and supports most major HSM models. OCSP responder keys can be securely protected in a single or distributed HSM structure and can be configured in the emCA OCSP component to retrieve the responder keys from the HSM. It is recommended that OCSP responder keys be delegated keys under each Certificate Authority (CA) and may reside in a separate HSM device from the CA HSM. However, the system also supports non-delegated scenarios where OCSP responses may need to be signed by the CA key itself.

Time Stamping Module

The Timestamping Module ensures the integrity and long-term validity of digital signatures by providing trusted timestamps. It is essential for documents and transactions that require proof of existence at a specific point in time.

• Timestamping can be used to prove the time of a transaction, the time a document was signed, and when it was archived independently and irrefutably.

• emCA's TSA component operates in full accordance with the guidelines prescribed by the Controller of Certifying Authorities (CCA) and the Certifying Authority System Compliance (CSC) framework for Time Stamping Services

• emCA's TSA component generates comprehensive audit logs for all time stamping events, particularly those related to security activities, ensuring full traceability and accountability for compliance and forensic analysis.

• All Time Stamp Tokens (TSTs) issued by emCA’s TSA are fully compliant with RFC 3161, ensuring globally recognized format and standards for long-term digital signature validation.

• The TSA component strictly adheres to policy by issuing Time Stamping Certificates solely for its internal time stamping operations, and not for any third-party or external TSA.

• The time values used in each timestamp token are sourced from and traceable to authorized Standard Time Sources in India, including GPS (Global Positioning System) and NPL (National Physical Laboratory), ensuring authenticity and legal defensibility.

How does it work?

Generating a Timestamp

Timestamping provides a secure method of proving the exact time of occurrence for digital documents, transactions, and signatures. This process involves generating a unique identifier, known as a timestamp, that is linked to the original data and cannot be altered without invalidating the timestamp.

Steps for Timestamp Generation:

1. Data Input: The data to be timestamped is submitted to the timestamping solution. This data can be in various formats, such as PDF, XML, or any other digital format.

2. Hash Calculation: A hash is calculated from the input data. A hash is a unique digital fingerprint of the data, represented by a string of bits. It is computationally infeasible to generate the same hash value for two different pieces of data.

3. Hash Concatenation: In the case of web-based timestamping, the entire document is considered as input. The timestamping solution calculates a hash of the document and then appends the timestamp to this hash.

4. Second Hash Calculation: A second hash is calculated from the concatenated data, which includes the original document hash and the timestamp.

5. Digital Signature: The generated hash is digitally signed using the private key of the Trusted Time Stamping Authority (TSA). This signature ensures the authenticity and integrity of the timestamp.

6. Timestamp Response: The signed hash and the timestamp are sent back to the requester, who stores them along with the original data.

This process ensures that the timestamp is securely linked to the original data and cannot be tampered with without invalidating the timestamp.

Verifying Timestamp Authenticity

Timestamping provides a secure method of proving the exact time of occurrence for digital documents, transactions, and signatures. Verifying the authenticity of a timestamp ensures that the document or data has not been altered since the timestamp was created and that the timestamp was issued by a trusted third-party Time Stamping Authority (TSA).

Steps for Timestamp Verification:

1. Calculate the Hash of the Original Data: Generate a hash of the original document or data to be timestamped.

2. Append the Timestamp to the Hash: Combine the hash generated in step 1 with the timestamp received from the TSA.

3. Calculate the Hash of the Concatenated Data: Calculate a hash of the combined data from step 2. This resulting hash is referred to as hash A.

4. Validate the TSA's Digital Signature: Verify the digital signature provided by the TSA using their public key. This ensures that the timestamp has not been tampered with and was indeed issued by the TSA.

5. Compare Hash A with Hash B: Compare the hash A calculated in step 3 with the hash B included in the signed TSA message. If the two hashes match, it confirms that the timestamp and the message have not been altered and were issued by the TSA.

6. Conclusion: If the calculated hash code (hash A) equals the result of the decrypted signature (hash B), it confirms that neither the document nor the timestamp was changed and the timestamp was issued by the TSA. If the hashes do not match, it indicates that either the timestamp was altered or the timestamp was not issued by the TSA.

Key Management Module

The Key Management Module is responsible for the secure generation, storage, and management of cryptographic keys. It ensures the confidentiality and security of keys throughout their lifecycle.

Key Features:

• Secure key generation and storage.

• Key rotation and retirement policies.

• Integration with Hardware Security Modules (HSMs).

Hardware Security Module Integration

Integration with Hardware Security Modules (HSMs) enhances the security of cryptographic operations by utilizing dedicated hardware for key management. It provides additional protection against physical and logical attacks.

Key Features:

• Secure storage of private keys in hardware.

• Hardware-based cryptographic operations.

• Enhanced resistance to tampering and attacks.

Functional Components

Profile Management:

Administrative users can create, modify, and delete certificates and key profiles to meet organization requirements.

CA Certificate Management

The management of CA certificates within the emCA system is handled by users with the officer role. With the help of the key profile and certificate profile generated by the system, officers can create certificates as needed. Additionally, officers have the power to revoke certificates, which ensures that the management process is both dynamic and secure.

User Certificate Management

The emCA system allows officers to manage user certificates through the User Certificate Management feature. By leveraging the key profile and certificate profile, officers can easily create and issue user certificates. Furthermore, officers have the ability to revoke user certificates, which facilitates a holistic and user-focused approach to certificate management.

Key Recovery

The emCA allows key recovery only when the user chooses it while creating a certificate profile. This means that only those who explicitly opt for key recovery during the certificate creation process can use this functionality. This provision ensures that the key recovery process is available only to those who actively choose it.

Backup & Restore

The Backup and restore feature in the emCA system can only be accessed by users. This enables systematic backups and facilitates the restoration of important data and configurations, ensuring the system's stability and continuity.

Reports

All users in the emCA system have the ability to access and view reports. This inclusive feature promotes transparency and accountability by enabling all users, regardless of their roles, to stay informed about various aspects of the certificate infrastructure.

OCSP Management

Seamless integration of OCSP Management in the emCA system allows administrators to effectively manage and configure the OCSP service, facilitating real-time validation of certificate status within the Public Key Infrastructure.

CERT/CRL Management

The emCA system efficiently manages the administration of certificates and Certificate Revocation Lists (CRLs). This includes creating and distributing CRLs, ensuring timely communication of certificate revocation events, and contributing to the overall security of the certificate infrastructure.

License Management

Seamless operation of the solution requires an essential license issued by eMudhra. This module offers functionalities for both generating and managing the requisite license to ensure continuous and unhindered system functionality.

User Management

As a sensitive application, robust role-based access controls have been implemented. This module serves as the hub for creating and managing users, ensuring strict control over user access and permissions.