DSC Validity in India: Updated CCA Guidelines for 2026

Digital Signature Certificates remain the backbone of legally binding electronic transactions in India. Governed by the Information Technology Act, 2000 and regulated by the Controller of Certifying Authorities, DSCs authenticate signers, ensure document integrity, and provide non-repudiation across sectors from banking to government procurement. Yet many organisations struggle with a fundamental question: how long does a DSC remain valid, and what happens when it expires?

With the CCA releasing updated Identity Verification Guidelines (Version 2.5, February 2026) and the ongoing phase-out of Class 1 and Class 2 certificates, the DSC validity landscape has shifted significantly. Simultaneously, global developments such as the CA/Browser Forum Ballot SC-081v3 — which mandates shorter TLS certificate lifetimes progressing toward 47 days by 2029 — signal a broader industry movement toward tighter certificate validity windows. Understanding the current rules is essential for compliance teams, IT administrators, and business leaders managing digital trust infrastructure.

Understanding DSC Validity Periods Under Indian Law

Under Section 35 of the IT Act, 2000, a Digital Signature Certificate issued by a licensed Certifying Authority carries legal validity equivalent to a handwritten signature. The CCA currently permits DSCs with validity periods of one, two, or three years from the date of issuance. Organisations choose the appropriate duration based on transaction frequency, compliance requirements, and administrative convenience.

A critical nuance often misunderstood: the validity of a digital signature is assessed at the time it was affixed, not at the time of verification. If a DSC was valid when the document was signed, the signature remains legally binding even after the certificate expires. This principle protects the long-term enforceability of digitally signed contracts, regulatory filings, and government submissions.

Class 3 DSC: The Only Active Certificate Class in 2026

The CCA has completed the consolidation of certificate classes. Class 1 and Class 2 DSCs have been fully phased out, leaving Class 3 as the sole active certificate class issued in India. Class 3 DSCs provide the highest level of identity assurance, requiring rigorous identity verification before issuance.

This consolidation aligns with global best practices where higher-assurance certificates are preferred for enterprise and regulatory use cases. Organisations that previously relied on Class 1 or Class 2 certificates for lower-assurance transactions must now plan their certificate procurement around Class 3 requirements.

Updated Identity Verification Requirements

The CCA's Identity Verification Guidelines Version 2.5 (February 2026) introduced refinements to the verification process for DSC issuance. Video-based verification has largely replaced in-person verification for individual applicants, reducing issuance turnaround times while maintaining identity assurance. Utility bills used as address proof must now be no older than three months.

For enterprises issuing DSCs at scale — particularly banks, NBFCs, insurance companies, and government departments — these updated guidelines impact bulk issuance workflows. Organisations with operations spanning multiple Indian states need standardised processes that accommodate the CCA's verification requirements without creating bottlenecks.

The Global Context: Shorter Certificate Lifetimes Are Coming

While India's DSC validity periods remain at one to three years, the global PKI ecosystem is moving toward dramatically shorter certificate lifetimes. The CA/Browser Forum's Ballot SC-081v3, approved in April 2025, established a phased reduction for public TLS certificates: 200-day maximum validity from March 2026, 100 days from March 2027, and 47 days by March 2029.

Although these TLS rules do not directly govern Indian DSCs (which operate under CCA regulations rather than the CA/Browser Forum), the trend has significant implications. Enterprises managing both TLS/SSL certificates and DSCs face a convergence challenge — their certificate management infrastructure must handle dramatically different renewal cadences across certificate types. Manual tracking methods that barely work for annual DSC renewals will collapse entirely under 47-day TLS rotation schedules.

Enterprise Challenges in DSC Validity Management

Large Indian enterprises often manage thousands of DSCs across employees, authorised signatories, and server certificates. The challenges compound quickly:

• Expiry tracking across departments: Without centralised visibility, DSC expirations trigger compliance gaps, failed filings, and halted procurement workflows.
• Regulatory filing deadlines: MCA, GST, Income Tax, and SEBI filings require valid DSCs. An expired certificate at a critical deadline can result in penalties and delays.
• Employee turnover: When authorised signatories leave the organisation, their DSCs must be revoked and replacements issued promptly.
• Multi-CA environments: Organisations sourcing certificates from multiple Certifying Authorities face fragmented renewal processes and inconsistent validity periods.
• Audit readiness: Regulators including RBI, SEBI, and IRDAI expect documented certificate lifecycle management as part of IT governance frameworks.

Best Practices for Managing DSC Validity

Organisations can mitigate DSC validity risks through a structured approach to certificate lifecycle management:

Centralised Certificate Inventory

Maintain a single source of truth for all DSCs across the enterprise. This inventory should track certificate holder, issuing CA, validity dates, associated use cases, and renewal ownership. A centralised inventory eliminates shadow certificates and ensures no expiration goes unnoticed.

Automated Renewal Alerts

Configure alerts at 90-day, 60-day, and 30-day intervals before expiry. Automated notifications directed to both certificate holders and their managers prevent last-minute renewal scrambles that risk compliance gaps.

Integration with Enterprise Workflows

Link DSC lifecycle events to HR systems (for onboarding and offboarding), procurement platforms (for authorised signatory management), and compliance calendars (for regulatory filing deadlines). This integration ensures certificate management operates as part of business processes rather than as an isolated IT function.

Align with Global Certificate Strategy

For multinational organisations operating in India alongside global markets, align DSC management with the broader certificate lifecycle strategy. As TLS certificate lifetimes shrink toward 47 days globally, the infrastructure and processes built for automated certificate management will naturally extend to DSC governance.

How eMudhra Supports DSC Lifecycle Management

As India's largest CCA-licensed Certifying Authority and a globally recognised digital trust provider, eMudhra operates across the full DSC lifecycle. emCA, the enterprise CA platform, enables organisations to issue, manage, and renew DSCs at scale with full regulatory compliance. CertiNext, the certificate lifecycle management platform, provides centralised visibility, automated renewal workflows, and policy-driven governance across all certificate types — including DSCs, TLS/SSL, and code signing certificates.

For organisations navigating the convergence of India-specific DSC requirements and global certificate validity changes, this unified approach eliminates the complexity of managing separate systems for different certificate categories.

Simplify DSC Management Across Your Enterprise

Managing hundreds or thousands of DSCs across teams, locations, and regulatory deadlines requires automation. eMudhra offers enterprise-grade certificate lifecycle management through CertiNext and a CCA-licensed CA platform through emCA, helping organisations stay compliant and avoid costly certificate lapses. 
Contact eMudhra today