Licensing of CAs

What types of measures are being executed by CCA for licensing a CA?

Detailed information (financial, technical and procedural) is obtained from the CA as part of the application for licence. These are examined and audited for compliance to IT Act, Rules, Regulations & guidelines. On successful audit, Licence is granted. CCA also certifies the public key of the Licenced CA.

Where can I find the steps for becoming a CA?

Overview of the licensing process can be seen in “CA Licensing Guidelines” published on

How often is auditing done? (Auditing Cycle Period)? Whether it is a continuous process?

Yes, External audits are held annually and internal audits are held every six months according to the Rules under the IT Act 2000. The CA shall get its operations audited annually by an auditor and such audit shall include security policy and planning, physical security, technology evaluation, CA's services administration, compliance to CPS, contracts/agreements, regulation prescribed by CCA, policy requirement of CA Rules. The CA shall conduct half yearly internal audit of security policy, physical security and planning of its operation and yearly audit by one of the empanelled auditors by CCA.

What is CPS?

CPS (Certification Practice Statement): A statement of the practices, which a Certifying Authority employs in issuing and managing certificates. A CPS is a declaration by the CA of the details of its trustworthy system and the practices it employs in its operations in support of issuance of a certificate as per the provisions of the IT Act and as mentioned in the India PKI CP. General CPS framework is given in the CA Licensing Guidelines.

Does CCA enforce Disaster Recovery Centre for CAs?

Yes, it is a mandatory requirement under IT Act so that the CRLs can be made available by CAs.