IT Act 2000AMENDED 2008

Section 35

Certifying Authority to Issue Electronic Signature Certificate

THE STATUTE

Original Text

(1) Any person may make an application to the Certifying Authority for issue of a Electronic Signature Certificate in such form as may be prescribed by the Central Government. (2) Every such application shall be accompanied by such fee not exceeding twenty-five thousand rupees as may be prescribed by the Central Government, to be paid to the Certifying Authority. (3) Every such application shall be accompanied by a certification practice statement or where there is no such statement, a statement containing such particulars, as may be specified by regulations. (4) On receipt of an application under sub-section (1), the Certifying Authority may, after consideration of the certification practice statement or the other statement under sub-section (3) and after making such enquiries as it may deem fit, grant the Electronic Signature Certificate or for reasons to be recorded in writing, reject the application: Provided that no Electronic Signature Certificate shall be granted unless the Certifying Authority is satisfied that — (a) the applicant holds the private key corresponding to the public key to be listed in the Electronic Signature Certificate; (b) the applicant holds a private key, which is capable of creating a digital signature; (c) the public key to be listed in the certificate can be used to verify a digital signature affixed by the private key held by the applicant.

Simplified

Section 35 sets out the procedure for obtaining an Electronic Signature Certificate — the credential that enables legally valid digital signing in India. The three proviso conditions in Section 35(4) are technically precise and legally important. First, the applicant must actually hold the private key corresponding to the public key to be listed — this prevents someone obtaining a certificate for another person's key pair, which would enable impersonation. Second, the private key must be capable of creating a valid digital signature. Third, the listed public key must verifiably authenticate those signatures. In practice, CAs conduct identity verification through in-person appearance or Video-based Customer Identification Process (V-CIP), document verification (PAN, Aadhaar), and Proof of Address. For organisational certificates, additional business registration documents are required. The ₹25,000 fee cap in Section 35(2) is a maximum; actual fees charged by CAs are typically ₹1,000–₹5,000 for a two-year certificate. The requirement for a Certification Practice Statement (CPS) accompaniment (Section 35(3)) ensures that the CA's published practices are the framework within which the certificate is issued — subscriber and relying party expectations are set by the CPS.

Legal Evolution

The DSC issuance process was originally entirely paper-based. CAs progressively introduced Video KYC (V-CIP) for remote certificate issuance. The shift to eSign (Section 3A) has reduced demand for traditional Class 2 DSCs significantly, but Class 3 DSCs remain essential for high-value regulatory filings. In 2021, the CCA effectively merged Class 2 into Class 3 by raising baseline verification requirements.

Key Amendments

2008 Amendment: 'Digital Signature Certificate' updated to 'Electronic Signature Certificate'.

Video KYC (V-CIP) permitted for DSC issuance without physical presence.

Class 2 DSC category merged into Class 3 by CCA notification in 2021.

Cyber Protocol Info

Section Type: AMENDED

OffenceN/A (Process/Procedural Provision)

CognizableN/A

Trial AuthorityN/A

Cross-References

30 : Duties of Certifying Authorities 41 : Subscriber to Accept Electronic Signature Certificate 73 : Publishing False Electronic Signature Certificates