Welcome to the IUDX Certificate Authority

IUDX-CA is an e-mail based certificate authority for IUDX users. The CA issues client-side certificates to access IUDX services.

To request a certificate from IUDX-CA

Step-1
Domain Whitelisting
  • IUDX-CA will only process emails from a whitelisted domains.
  • Please ensure that your domain is whitelisted by the IUDX-CA.
  • If your organization has been participating in IUDX, most likely your domain is already whitelisted.
Step-2
Generate a certificate signing request (CSR)
  • Option-1: Generate manually on command line. For example:
  • openssl req -new -newkey rsa:2048 -nodes -out csr.pem -keyout private-key.pem -subj "/"

  • Option-2: Generate online. Not recommended for production use.
Step-3
Email the
CSR
  • Based on the user category and the certificate class,

    please email the CSR to the IUDX certificate authority (CA) or your organization's IUDX sub-CA
    (if your organization has one).



User Categories

Send an email

FROM <your-email-id>@<your-email-domain>
TO ca at iudx.org.in
SUBJECT Certificate request RS <resource-server-name>
ATTACHMENT CSR in .pem format

NOTE: Resource Servers will receive a class-1 certificate.

Send E-Mail

Send an email

FROM <your-email-id>@<your-email-domain>
TO ca at iudx.org.in
SUBJECT Certificate request
ATTACHMENT CSR in .pem format

NOTE: Individual Consumers will receive a class-2 certificate.

Send E-Mail

Send an email

FROM data.officer.*@<your-organization-domain>
(e.g. data.officer.pune@example.com)
TO ca at iudx.org.in
SUBJECT Certificate request
ATTACHMENT CSR in .pem format

NOTE: Data officers will receive a class-3 certificate.

Send E-Mail

Send an email

FROM iudx.sub.ca@<your-organization-domain>
TO ca at iudx.org.in
SUBJECT Certificate request
ATTACHMENT CSR in .pem format

NOTE: The sub-CA will be responsible for providing ceritificates to their employees.

Send E-Mail

Send an email

FROM <your-email-id>@<your-organization-domain>
TO iudx.sub.ca@<your-organization-domain>
SUBJECT Certificate request
ATTACHMENT CSR in .pem format

NOTE-1: If your organization does not run a sub-CA. Please send the CSR to ca at iudx.org.in instead.

NOTE-2: The certificate class will be decided by the sub-CA.

NOTE-3: The validity of certificate cannot be more than 365 days.

Send E-Mail

Frequently Asked Questions

  • 1. Is the IUDX-CA licensed by CCA?

    No

  • 2. What are the certificate classes?

    There are 5 classes of certificates:

    • class-1: Can only be used by resource servers.
    • class-2: Can be used by a data consumer to request access to protected data
    • class-3: Can be used by a data provider to set access control policies and create/manage catalog entries.
    • class-4: Can be used by a data consumer to request access to private data.
    • class-5: Can be used by a data consumer to request access to confidential data.

  • 3. Where to find class information in the certificate?

    You can find it in the User notice attribute (id-qt-unotice) of the Subject field. For example, Subject: CN=Individual at example.com/emailAddress=name@example.com/id-qt-unotice=class:2

  • 4. What is the format of Certificate Revocation List (CRL)?

    CRL is in the JSON format. It looks like:
    [
        {
          "issuer" : "certificate-issuer's-email-id",
          "fingerprint" : "sha1-fingerprint-of-revoked-certificate-1",
          "serial" : "serial-of-revoked-certificate-1",
          "reason" : "Reason for revocation",
          "valid-till" : "Expiry-of-the-revoked-certificate-1"
        },
        {
          "issuer" : "certificate-issuer's-email-id",
          "fingerprint" : "sha1-fingerprint-of-revoked-certificate-2",
          "serial" : "serial-of-revoked-certificate-2",
          "reason" : "Reason for revocation",
          "valid-till" : "Expiry-of-the-revoked-certificate-2"
        },
        ...
    ]

  • 5. Why is CRL in JSON format ?

    The IUDX-CA's CRL is expected to be used by IUDX servers, and not indented for other applications.
    Hence we use a simple format to list revoked certificates.

  • 6. How do I revoke my certificate?

    Please call the /revoke-certificate POST API with reason as the header field to indicate the reason for revocation.

    Example:
    curl -XPOST https://ca.iudx.org.in/revoke-certificate --cert certificate.pem --key private-key.pem -H "reason:my-reason-to-revoke"

    Sub-CAs may also add headers fingerprint and serial as headers to revoke the certificates issued by them.