Kenya Mandates Digital Certificates for Critical Infrastructure: Implications and How eMudhra Can Help

On March 14, 2024, the Communications Authority of Kenya (CA) and the National Computer and Cybercrimes Coordination Committee (NC4) issued a landmark Public Notice mandating that all systems designated as Critical Information Infrastructure (CII) in Kenya must adopt and only use digital certificates, digital certification, and PKI services from Electronic Certification Service Providers (E-CSPs) licensed and accredited by the CA. As a leading E-CSP in Kenya, eMudhra stands ready to help government agencies, financial institutions, telecom operators, energy utilities―and any organization classified as CII―meet this new regulatory requirement, bolster cybersecurity, and future-proof digital operations.

1. Regulatory Background

1.     1. Role of the Communications Authority of Kenya (CA):

   • Established under the Kenya Information and Communications Act (1998), the CA is the principal regulator for Kenya’s ICT sector.

   • Beyond overseeing telecommunications, broadcasting, postal services, and cyber security, the CA administers the Universal Service Fund (USF) and safeguards public interest in ICT services.

   • Under Part VIA of the Act, the CA is mandated to implement a Root Certification Authority (RCA) as part of Kenya’s National Public Key Infrastructure (NPKI) framework.

2. 2. Electronic Certification Service Provider (E-CSP) Licensing:

   • The CA must also develop and enforce a licensing framework for all E-CSPs operating in Kenya.

   • Licensed and accredited E-CSPs are authorized to issue, manage, and maintain digital certificates in accordance with Kenya’s NPKI specifications.

3. 3. NC4 Directive on CII (14th March 2024):

   • The NC4, formed under the Computer Misuse and Cybercrimes Act (2018), is tasked with coordinating national cyber security efforts.

   • At its March 14, 2024 meeting, the NC4 determined that all systems officially designated as CII (as per Gazette Notice No. 1043) must adopt digital certificates, digital certification, and PKI services exclusively from CA-licensed E-CSPs.

   • Compliance Deadline: Within six (6) months from March 14, 2024 (i.e., by September 14, 2024), all CII operators must have transitioned to certified digital-certificate usage.

2. Key Provisions of the Gazette Notice

• Establishment of a Root Certification Authority (RCA):

  The CA will manage Kenya’s Root CA under the NPKI framework, ensuring a trusted “root of trust” for all downstream certificates.

• Mandatory E-CSP Licensing:

  Only E-CSPs that are both licensed and accredited by the CA may issue and manage digital certificates in Kenya. The official list of licensed E-CSPs is available via the Telecommunications Services Licensee Register on the CA’s website (https://www.ca.go.ke).

• Scope of CII Systems:

  “Critical Information Infrastructure” includes any network, system, or asset essential to national security, public health, or economic stability—spanning sectors such as energy, finance, water, transportation, telecommunications, and government services.

• Exclusive Use Mandate:

  Effective immediately, all CII operators must adopt and only use digital certificates and PKI services from CA-licensed E-CSPs. Any certificates or PKI services not issued by a licensed Kenya E-CSP will not be recognized for compliance, liability protection, or secure operations.

• Implementation Timeline:

  CII operators have six months from the date of the notice (March 14, 2024) to fully implement and transition to certified digital-certificate usage—placing the final deadline at September 14, 2024.

3. Impact on Critical Infrastructure Sector

1. Urgency of Compliance:
Organizations designated as CII must begin or accelerate their digital certificate and PKI implementation projects immediately. Failure to comply by the September 2024 deadline could result in regulatory sanctions, service disruptions, or heightened cybersecurity risk.
2. Stronger Cybersecurity Posture:
By mandating only CA-licensed digital certificates, the Kenyan government aims to tighten the security of CII networks. Properly configured PKI reduces risks such as:

• Man-in-the-Middle attacks

• Unauthorized device or user authentication

• Data tampering or eavesdropping on critical applications

3. Operational & Financial Considerations:

• Procurement Cycles: CII operators must review existing contracts with certificate-authorities (CAs), terminate or migrate away from unlicensed E-CSPs, and procure services from licensed providers.

• Technical Integration: Network infrastructure, web servers, VPN gateways, SCADA systems (for utilities), and other critical platforms must integrate trusted certificates.

• Budgeting: Organizations should factor certificate lifecycle costs (issuance, renewal, revocation, management) into their 2024–25 IT budgets.

When banks, hospitals, power utilities, and government portals rely on Kenya-licensed digital certificates, end-users benefit from increased confidence—knowing that all critical transactions and data flows are underpinned by a government-sanctioned PKI.

• Authentication & Integrity:

  Digital certificates cryptographically bind an entity’s identity (e.g., a server, user, or device) to a public key. This ensures that only authenticated, authorized entities can access or source data from critical systems.

• Confidentiality:

  TLS/SSL certificates enable encrypted communication channels, preventing eavesdropping on sensitive data (e.g., online banking, utility telemetry, patient records).

• Non-Repudiation & Accountability:

  Digitally signing transaction records and documents ensures that an entity cannot later deny having performed a specific action. This is crucial for audit trails in financial, healthcare, and energy sectors.

• Scalability & Automation:

  A robust PKI allows organizations to automate certificate issuance, renewal, and revocation—minimizing manual intervention, reducing human error, and ensuring continuous compliance.

As one of the first E-CSPs to secure both licensing and accreditation from the Communications Authority of Kenya, eMudhra has rapidly become a trusted partner for enterprises, government ministries, and critical infrastructure operators. Our local footprint, combined with global PKI expertise, uniquely positions us to support Kenya’s digital-transformation ambitions.

• CA-Licensed & Accredited:

  eMudhra is on the official CA licensee register, meaning all certificates issued by eMudhra are automatically compliant with Kenya’s NPKI framework and recognized by regulators.

• Comprehensive PKI Suite:

  • Managed Public Key Infrastructure (PKI-as-a-Service): Allows organizations to offload the complexities of Root CA and subordinate CA operations to our secure, cloud-hosted infrastructure.

  • Certificate Lifecycle Management (CertiNext): Automates issuance, renewal, revocation, and reports across thousands of certificates—eliminating manual certificate tracking.

  • Digital Signature & Signing Workflows (emSigner): Enables legally admissible digital signing of documents, forms, and contracts—both in the cloud and on premises.

• Local Support & On-Ground Teams:

  Our Kenyan offices and certified technical teams provide rapid, localized support—ensuring SLA-driven certificate issuance, dedicated account management, and integration services that align with Kenyan market nuances.

• Turnkey Integration Services:

  eMudhra’s professional services team can configure PKI for a range of CII applications, including:

  • SSL/TLS for Web Servers, Load Balancers, and Application Gateways

  • VPN/Network Devices (router/switch firmware updates, secure device authentication)

  • SCADA & OT Encryption for energy, water utilities, and transportation systems

  • Document & Code Signing for finance, healthcare, and government e-services portals

  • Machine-to-Machine (M2M) Authentication across IoT sensors and telemetry systems

• Rapid Onboarding & Compliance Pathways:

  With a proven onboarding process, eMudhra can have critical-infrastructure clients fully transitioned onto a CA-trusted PKI within 2–4 weeks, ensuring ample time before the September 14, 2024 deadline.

6. 6. How eMudhra Helps You Comply with the Gazette Notice

7. Why eMudhra Is Your Ideal PKI Partner

Proven Track Record in Kenya & Globally:

• eMudhra has already issued millions of digital certificates across telecom, banking, government, and IoT sectors—making us one of the fastest-growing E-CSPs in East Africa.

• From Root CA to subscriber certificates, our PKI-as-a-Service offering includes hardware security modules (HSMs), key archival, online validation (OCSP), Certificate Revocation Lists (CRLs), and an intuitive management portal.

• Our certified consultants handle PKI design, integration, pilot testing, and migration—minimizing disruption to your existing IT workflows.

• eMudhra’s infrastructure is ISO 27001 certified and meets multiple international standards for cryptographic operations—ensuring alignment with Kenya’s NPKI guidelines.

• Typical CII migration projects with eMudhra can be completed in ideal timeframe, well within the NC4’s six-month mandate, so you’re never rushed or scrambling at deadline time.

• We offer tiered subscription models, pay-as-you-grow options, and enterprise licensing—allowing both large utilities and smaller CII operators to choose a plan that fits their budget without sacrificing security.

Conclusion

The March 14, 2024 Gazette Notice from Kenya’s Communications Authority and NC4 represents a pivotal step toward strengthening Kenya’s cybersecurity posture—particularly for Critical Information Infrastructure. By mandating exclusive use of CA-licensed digital certificates, the government is driving nationwide adoption of a robust Public Key Infrastructure, ensuring tamper-proof, encrypted, and authenticated digital transactions across vital sectors.

eMudhra, as a fully licensed and accredited E-CSP in Kenya, offers the technical depth, local presence, and global best practices required to help every CII operator achieve full compliance—quickly, cost-effectively, and with zero downtime. From managed PKI to enterprise-grade certificate lifecycle management, eMudhra’s solutions empower you to meet regulatory deadlines, protect your critical assets, and foster greater trust among citizens and stakeholders.

Don’t wait for the deadline to approach. Begin your PKI journey today, secure your critical systems, and embrace the next generation of digital trust with eMudhra.