Teststation Order from Chaos

CCA India Root Certificate on Linux

The IT Act provides for the Controller of Certifying Authorities (CCA) to license and regulate the working of Certifying Authorities and also to ensure that none of the provisions of the Act are violated. The Certifying Authorities (CAs) issue Digital Signature Certificates(DSC) for electronic authentication of users. -- Ministry of Electronics & Information Technology, India

Thanks to the IT Act and the government’s Digital India campaign, we’re seeing more and more digitally signed documents floating around. However, validating these signatures requires a Root Certificate which serves as the anchor from which the chain of trust for any signed electronic record is derived. Without a trusted Root available, a signed document cannot be validated.

The Root Certificate of the Controller of Certifying Authorities of India is available on cca.gov.in. While downloading and installing the certificates is a straightforward affair on Windows (Right Click -> Install), it takes a bit of a dance to do so in Linux, as described below:

  • Download ‘CCA India 2014’ certificate from this site
  • Decode the base64 encoded data with:
openssl base64 -d -A < cca_india_2014.cer > cca_india_2014.der
  • Convert it from DER to PEM format with:
openssl x509 -in cca_india_2014.der -inform der -outform pem -out cca_india_2014.pem
  • Print and verify certificate fingerprint1 with:
openssl x509 -in cca_india_2014.pem -fingerprint
  • Import it to NSSDB with:
certutil -d /etc/pki/nssdb -A -i cca_india_2014.pem -t "C,C,C" -n "CCA India 2014"
  • Import it to your Firefox profile with:
certutil -d $HOME/.mozilla/firefox/<profile_id> -A -i cca_india_2014.pem -t "C,C,C" -n "CCA India 2014"
  • One can use pdfsig2 to validate signed PDF files:
pdfsig <path/to/PDF/file>

The ‘CCA India 2015 SPL’ certificate can be imported in a similar manner.


  1. The correct fingerprint for verification can be obtained by sending an empty email to [email protected], it’s an automated service that responds with fingerprints and CRL. 

  2. pdfsig does not support password protected documents yet.