A digital signature is only as trustworthy as the body that vouches for the key behind it. Chapter VI of the Information Technology Act, 2000 (Sections 17 to 34) builds that chain of trust: it creates the office of the Controller of Certifying Authorities (CCA), licenses the private Certifying Authorities (CAs) that issue signature certificates to the public, and arms the regulator with powers of audit, investigation, suspension and seizure. This chapter is the administrative backbone that makes the digital and electronic signature regime legally credible. Read it alongside the secure records and signatures framework and the foundational definitions in Section 2. For the wider scheme, return to the IT Act hub.
The PKI architecture: why Chapter VI exists
The Act adopts a Public Key Infrastructure (PKI) model. A subscriber holds a private key for signing and a corresponding public key for verification; a Certifying Authority binds that public key to the subscriber's identity by issuing an Electronic Signature Certificate under Section 35. But a certificate issued by an unregulated, untrustworthy CA would be worthless. Chapter VI therefore inserts a state-licensed regulator between the public and the CAs, so that the legal presumption attaching to a secure digital signature rests on a verifiable institutional foundation.
Sections 17 to 34 form a self-contained licensing and supervision code. Sections 17 to 20 deal with the Controller; Sections 21 to 26 with the licensing of CAs; Sections 27 to 29 with delegation, investigation and access; and Sections 30 to 34 with the operational and disclosure duties of a licensed CA. The downstream consequences - issue, suspension and revocation of certificates - sit in Chapter VII (Sections 35 to 39), which presupposes the existence of the licensed CAs created here.
Section 17 - Appointment of the Controller and officers
Section 17 empowers the Central Government, by notification in the Official Gazette, to appoint a Controller of Certifying Authorities and such number of Deputy Controllers, Assistant Controllers, other officers and employees as it thinks fit. The Deputy and Assistant Controllers perform the functions assigned to them by the Controller under the general superintendence and control of the Controller. The qualifications, experience and terms and conditions of service of all these officers, and the place where the head office and branch offices are located, are as prescribed by the Central Government. The Controller also has a seal of office. Pursuant to this provision the Government of India established the office of the CCA in November 2000.
Section 18 - Functions of the Controller
Section 18 is the heart of the regulator's mandate. It lists the functions the Controller may perform, including: (a) exercising supervision over the activities of Certifying Authorities; (b) certifying public keys of the Certifying Authorities; (c) laying down the standards to be maintained by CAs; (d) specifying the qualifications and experience that CA employees should possess; (e) specifying the conditions subject to which CAs shall conduct their business; (f) specifying the contents of written, printed or visual material and advertisements that may be distributed in respect of an Electronic Signature Certificate and the public key; (g) specifying the form and content of such certificates and keys; (h) specifying the form and manner in which accounts shall be maintained by CAs; (i) specifying the terms and conditions for appointment of auditors and their remuneration; (j) facilitating the establishment of any electronic system by a CA either solely or jointly; (k) specifying the manner in which CAs shall conduct their dealings with subscribers; (l) resolving any conflict of interests between CAs and subscribers; (m) laying down the duties of CAs; and (n) maintaining a database containing the disclosure record of every Certifying Authority, with all its contents accessible to the public in the prescribed manner.
The breadth of clause (n) is significant. After the 2008 Amendment removed Section 20, the public-facing repository function increasingly leans on this disclosure database together with the repository duty now embedded in Section 30, reinforcing that transparency - not merely enforcement - is a core regulatory objective.
Section 19 - Recognition of foreign Certifying Authorities
Cross-border digital commerce requires that a certificate issued abroad be capable of recognition in India. Section 19 permits the Controller, with the previous approval of the Central Government and by notification in the Official Gazette, to recognise any foreign Certifying Authority for the purposes of the Act, subject to such conditions and restrictions as may be prescribed by regulations. Once so recognised, an Electronic Signature Certificate issued by that foreign CA is valid in India to the same extent as one issued by a CA licensed under the Act. The Controller may, for reasons to be recorded in writing, revoke such recognition by notification where he is satisfied that the CA has contravened any condition of recognition. This provision is the gateway for technology-neutral, internationally interoperable trust services contemplated by the wider Act.
Section 20 - the omitted repository provision
Section 20, titled "Controller to act as repository", originally provided that the Controller shall be the repository of all Digital Signature Certificates issued under the Act, shall maintain a computerised database of all public keys, and shall publish information on CAs while observing prescribed security procedures. This Section was omitted by the Information Technology (Amendment) Act, 2008 with effect from 27 October 2009.
The omission was part of the larger 2008 shift from "digital signature" to the technology-neutral concept of "electronic signature". Rather than centralising every certificate in the regulator's own repository, the amended scheme distributes the repository obligation to each licensed CA under Section 30, while the Controller retains the supervisory and disclosure-database functions under Section 18. Aspirants frequently encounter the trap question "which Chapter VI section was omitted?" - the answer is Section 20.
Sections 21-23 - Licence to issue certificates, application and renewal
Section 21 provides that any person may make an application to the Controller for a licence to issue Electronic Signature Certificates. The licence is granted only if the applicant fulfils the requirements with respect to qualification, expertise, manpower, financial resources and infrastructure facilities prescribed by the Central Government. A licence so granted is valid for the prescribed period, is not transferable or heritable, and is subject to the terms and conditions specified by regulations.
Section 22 sets out the contents of the application: it must be accompanied by a certification practice statement, a statement including the procedures with respect to identification of the applicant, the prescribed fee not exceeding twenty-five thousand rupees, and such other documents as may be prescribed.
Section 23 governs renewal. An application for renewal must be in the prescribed form, accompanied by the prescribed fee not exceeding five thousand rupees, and made not less than forty-five days before the date of expiry of the period of validity of the licence. The fee ceilings are a recurring objective-question favourite: twenty-five thousand rupees for the application, five thousand rupees for renewal.
Section 24 - Procedure for grant or rejection of licence
Section 24 provides that the Controller may, on receipt of an application under sub-section (1) of Section 21, after considering the documents accompanying the application and such other factors as he deems fit, either grant the licence or reject the application. Crucially, the proviso embeds a natural-justice safeguard: no application shall be rejected unless the applicant has been given a reasonable opportunity of presenting his case. This is the licensing-stage analogue of audi alteram partem, and any rejection in breach of it is vulnerable to challenge under Article 14 and the general administrative-law doctrine of fairness. The same audi alteram partem thread runs through Sections 25 and 26 below, making procedural fairness the connective tissue of the entire licensing code.
Section 25 - Suspension of licence
Section 25 lists the grounds on which the Controller, after such inquiry as he thinks fit, may revoke a licence: where the CA has (a) made an incorrect or false statement in material particulars in or in relation to the application for issue or renewal of the licence; (b) failed to comply with the terms and conditions subject to which the licence was granted; (c) failed to maintain the standards specified under Section 30; or (d) contravened any provision of the Act, rule, regulation or order made thereunder.
The proviso to sub-section (1) protects the CA: no licence shall be revoked unless the CA has been given a reasonable opportunity of showing cause against the proposed revocation. Sub-section (2) allows the Controller, where he has reasonable cause to believe that there is a ground for revocation, to suspend the licence pending completion of any enquiry - but here too the proviso bars suspension for a period exceeding ten days unless the CA has been given a reasonable opportunity of showing cause. The ten-day cap and the show-cause requirement are the two most heavily tested points in this Section.
Section 26 - Notice of suspension or revocation
Section 26 ensures the market learns of a compromised CA. Where the licence of a Certifying Authority is suspended or revoked, the Controller shall publish notice of such suspension or revocation, as the case may be, in the database maintained by him. Where one or more repositories are specified, the Controller shall publish the notice in all such repositories. The notice must, so far as is reasonably practicable, be available through a web site which is accessible round the clock, and the Controller may additionally publicise the contents of the notice in such other manner as he considers fit for public information. The provision operationalises transparency: a subscriber relying on a certificate can verify, in real time, that the issuing CA's licence remains in good standing.
Sections 27-29 - Delegation, investigation and access to data
Section 27 permits the Controller, in writing, to authorise a Deputy Controller, Assistant Controller or any officer to exercise any of the powers of the Controller under Chapter VI. This delegation power is what makes a single regulatory office workable across a national market.
Section 28 confers investigative muscle. The Controller or any officer authorised by him shall take up investigation of any contravention of the provisions of the Act, rules or regulations. For this purpose the Controller or authorised officer is vested with the same powers as are conferred on income-tax authorities under Chapter XIII of the Income-tax Act, 1961, and shall exercise such powers subject to the limitations laid down under that Act. Borrowing the income-tax enforcement toolkit gives the regulator real teeth - powers of survey, inspection and summons - without re-legislating them.
Section 29 grants access to computers and data. Without prejudice to Section 69, the Controller or a person authorised by him, if he has reasonable cause to suspect that any contravention of the Act, rules or regulations has been committed, may access any computer system, apparatus, data or any other material connected with such system, for the purpose of searching or causing a search to be made for obtaining any information or data. Sub-section (2) obliges the person in charge of the computer system to provide reasonable technical and other assistance. The deliberate cross-reference to Section 69 - the interception and decryption power - keeps the two regimes distinct: Section 29 is a regulatory inspection power, not a surveillance power.
Section 30 - Procedures the CA must follow
Section 30 sets the operational standards every licensed CA must observe. It requires every Certifying Authority to: (a) make use of hardware, software and procedures that are secure from intrusion and misuse; (b) provide a reasonable level of reliability in its services which are reasonably suited to the performance of intended functions; (c) adhere to security procedures to ensure that the secrecy and privacy of the electronic signatures are assured; and, following the 2008 Amendment, (ca) be the repository of all Electronic Signature Certificates issued under the Act; (cb) publish information regarding its practices, Electronic Signature Certificates and the current status of such certificates; and (d) observe such other standards as may be specified by regulations. Clauses (ca) and (cb) are precisely the repository functions migrated out of the omitted Section 20, decentralising the trust database to the CA that issued each certificate. A failure to maintain the standards under Section 30 is, as seen above, an independent ground for suspension or revocation under Section 25.
Sections 31-33 - Compliance, display and surrender of licence
Section 31 imposes a continuing duty: every Certifying Authority shall ensure that every person employed or otherwise engaged by it complies, in the course of such employment or engagement, with the provisions of the Act, rules, regulations and orders made thereunder. The CA cannot disclaim responsibility for the acts of its personnel.
Section 32 requires every Certifying Authority to display its licence at a conspicuous place of the premises in which it carries on its business - a simple consumer-protection signal of legitimacy.
Section 33 deals with surrender. Every Certifying Authority whose licence is suspended or revoked shall immediately surrender the licence to the Controller. A CA that fails, without reasonable cause, to surrender the licence commits an offence punishable with imprisonment which may extend to six months, or with fine up to ten thousand rupees, or with both. This is one of the few Chapter VI provisions carrying a direct penal sanction, underscoring that holding out a defunct licence is treated as a public-trust offence.
Section 34 - Disclosure
Section 34 closes the chapter with the CA's transparency obligations. Every Certifying Authority shall disclose, in the manner specified by regulations: (a) its Electronic Signature Certificate which contains the public key corresponding to the private key used by that CA to digitally sign another certificate; (b) any certification practice statement; (c) notice of the revocation or suspension of its own Certifying Authority certificate, if any; and (d) any other fact that materially and adversely affects either the reliability of an Electronic Signature Certificate which the CA has issued, or its ability to perform its services. Sub-section (2) adds that where any event has occurred or any situation has arisen which may materially and adversely affect the integrity of its system or the conditions subject to which a certificate was granted, the CA shall use reasonable efforts to notify any person likely to be affected by that occurrence, or act in accordance with the procedure specified in its certification practice statement. Disclosure is thus both ex ante (publishing the CPS) and ex post (alerting affected subscribers to a compromise).
Judicial context: how courts treat the certificate chain
Chapter VI has generated little direct litigation - the office of the CCA and the handful of licensed CAs operate largely through administrative rule-making rather than reported judgments. But the legal credibility that this chapter manufactures is repeatedly tested when electronic records reach the courtroom, and the case law illuminates why a regulated certificate chain matters.
In State of Maharashtra v. Praful B. Desai, (2003) 4 SCC 601, the Supreme Court adopted a purposive, technology-friendly reading of procedural law, holding that "presence" under Section 273 CrPC includes virtual presence by video conferencing and that evidence may be both oral and electronic. The judgment set the interpretive tone - courts will not let technological novelty defeat a statutory purpose - that animates the trust framework Chapter VI builds.
In Trimex International FZE Ltd. v. Vedanta Aluminium Ltd., (2010) 3 SCC 1, the Supreme Court held that a binding contract was concluded through an exchange of e-mails even without a formally executed document. While the case turned on contract formation rather than certification, it confirms that electronically authenticated communications carry full legal effect - the practical pay-off of a credible signature-certification regime.
On authentication of electronic records, the controlling line runs through Anvar P.V. v. P.K. Basheer, (2014) 10 SCC 473, which held the certificate under Section 65B of the Evidence Act mandatory for the admissibility of secondary electronic evidence, overruling the contrary view in State (NCT of Delhi) v. Navjot Sandhu, (2005) 11 SCC 600. After the brief detour in Shafhi Mohammad v. State of Himachal Pradesh suggesting the certificate could be dispensed with, a three-judge Bench in Arjun Panditrao Khotkar v. Kailash Kushanrao Gorantyal, (2020) 7 SCC 1, restored and clarified Anvar, holding the Section 65B(4) certificate a mandatory condition precedent where the original is not produced. Although these decisions arise under the Evidence Act rather than Chapter VI, they reflect the same insistence on a verifiable, certified chain of trust that the Controller and Certifying Authorities exist to supply at source.
Exam takeaways and cross-references
For judiciary and CLAT-PG examinations, anchor the following: the Controller is appointed under Section 17 and his functions are enumerated in Section 18 (note clause (n) - the disclosure database); Section 20 was omitted by the 2008 Amendment (w.e.f. 27-10-2009); licences are governed by Sections 21 to 26, with the application fee ceiling of twenty-five thousand rupees (Section 22), the renewal fee ceiling of five thousand rupees and the forty-five-day pre-expiry renewal window (Section 23), the natural-justice safeguard in Section 24, and the ten-day suspension cap in Section 25(2). Remember that Section 28 borrows the income-tax authorities' powers for investigation, Section 29 grants access to computer systems, and Section 33 carries a penal sanction of six months or ten thousand rupees for failure to surrender a suspended or revoked licence.
To see how these licensed CAs then issue, suspend and revoke certificates, read this chapter together with the digital and electronic signatures notes and the secure electronic records and signatures framework. For the statutory vocabulary that underpins every provision above, consult the definitions chapter, and for the overall architecture of the Act, the IT Act hub.
Frequently asked questions
Who is the Controller of Certifying Authorities and under which section is the office created?
The Controller of Certifying Authorities (CCA) is the central regulator of the public-key infrastructure under the IT Act, 2000. The office is created by Section 17, which empowers the Central Government to appoint the Controller along with Deputy Controllers, Assistant Controllers and other officers. The CCA was established by the Government of India in November 2000.
What are the main functions of the Controller under Section 18?
Section 18 lists functions including supervising the activities of Certifying Authorities, certifying their public keys, laying down standards, specifying employee qualifications and conditions of business, regulating advertisements and the form of certificates, prescribing accounts and auditors, facilitating electronic systems, regulating dealings with subscribers, resolving conflicts of interest, laying down CA duties, and maintaining a public database of every CA's disclosure record.
Which provision of Chapter VI was omitted by the 2008 Amendment, and why?
Section 20, titled 'Controller to act as repository', was omitted by the Information Technology (Amendment) Act, 2008 with effect from 27 October 2009. The centralised repository function was decentralised to each licensed Certifying Authority under Section 30, as part of the shift from 'digital signature' to the technology-neutral 'electronic signature' regime.
What are the fee ceilings and timelines for a Certifying Authority licence?
Under Section 22, the application for a licence must be accompanied by a fee not exceeding twenty-five thousand rupees, along with a certification practice statement and identification procedures. Under Section 23, an application for renewal must be made at least forty-five days before expiry, accompanied by a renewal fee not exceeding five thousand rupees.
Can the Controller suspend a CA's licence without notice, and for how long?
Under Section 25(2), the Controller may suspend a licence pending completion of an enquiry where he has reasonable cause to believe a ground for revocation exists. However, the proviso bars suspension for a period exceeding ten days unless the Certifying Authority has been given a reasonable opportunity of showing cause against the proposed suspension - so natural justice constrains any longer suspension.
Does Chapter VI affect how electronic evidence is proved in court?
Chapter VI creates the trusted certificate chain, but admissibility of electronic records is governed by Section 65B of the Evidence Act. In Anvar P.V. v. P.K. Basheer (2014) 10 SCC 473 the Supreme Court held the Section 65B certificate mandatory for secondary electronic evidence, overruling Navjot Sandhu (2005) 11 SCC 600; this was restored and clarified in Arjun Panditrao Khotkar v. Kailash Kushanrao Gorantyal (2020) 7 SCC 1. The same insistence on a verifiable chain of trust underlies both regimes.