Section 20

Section 20 establishes the CCA as the national repository for all Digital Signature Certificates issued in India — effectively a national public directory of digital certificates. The repository serves a critical function in the PKI trust model: any person who receives a digitally signed document can check the CCA's repository to verify whether the certificate used is genuine, whether it was actually issued by a licensed CA, and whether it is still valid (not revoked or expired). Section 20(3) is particularly important — the repository must be publicly accessible. This transparency is fundamental to PKI: the security of the system depends on anyone being able to verify any certificate independently. The hardware and software security requirements in Section 20(2) protect the repository itself from tampering — a compromised repository could be used to introduce fake certificates into the system, undermining the trust of the entire PKI. The CCA repository (accessible at cca.gov.in) publishes the Root CA certificate, all licensed CA certificates, Certificate Revocation Lists (CRLs), and disclosure records of each CA.