emSign is a brand, a business unit of eMudhra for providing certificate services under eMudhra's own root certificates. eMudhra is a leading Certifying Authority (CA) that specializes in providing digital certificate solutions to secure online communications and transactions. With a strong reputation for trustworthiness, reliability, and security, eMudhra has become a trusted name in the field of digital certificates.

emSign is a brand and a business unit of eMudhra, providing certificate services under eMudhra's own root certificates. eMudhra, a leading Certifying Authority (CA), specializes in delivering digital certificate solutions to secure online communications and transactions. Renowned for its trustworthiness, reliability, and security, eMudhra has established itself as a trusted name in the field of digital certificates.

As a first CA from India to get globally accredited, emSign holds a unique position among a select few companies worldwide. emSign plays a critical role in fostering trust in the digital landscape by issuing digital certificates that act as electronic credentials, verifying the identity of entities engaged in online communications, such as websites, email servers, and software applications. emSign certificates are used globally by businesses, governments, and organizations to secure their online presence, protect sensitive information, and authenticate identities.

emSign offers a comprehensive range of digital certificate solutions to address diverse security needs. These include SSL/TLS certificates for securing websites with robust encryption, code signing certificates for authenticating software applications, document signing certificates for securing digital documents, and email certificates for encrypting email communication. Additionally, emSign provides managed PKI solutions for organizations requiring extensive certificate management within their complex environments. Our certificates are widely adopted with thousands of companies worldwide relying on them.

Beyond its technical expertise, emSign is recognised for its exceptional customer support. The company offers 24/7 customer assistance through various channels, including email and phone, helping customers with everything from certificate issuance to installation and beyond. emSign also provides a user-friendly certificate management platform, enabling customers to easily manage and monitor their certificates.

emSign is a Certifying Authority that has built a strong reputation for trust, reliability, and security in the digital world. Through its rigorous validation process, innovative solutions, robust security measures, and outstanding customer support, emSign plays a pivotal role in securing online communications and transactions, helping businesses and organizations establish trust in the digital realm.

• Domain Validation - Single Domain: Safeguard your website with our Domain Validation (DV) SSL certificate, delivering a secure and encrypted browsing experience for your visitors.

• Domain Validation - Single Wildcard Domain: Wildcard certificates eliminate the need to purchase separate SSL products for each subdomain. With a single wildcard certificate, you can secure unlimited subdomains saving both time and costs.

emSign is a global digital certificate provider and a business unit of eMudhra, a publicly listed, globally accredited Certifying Authority (CA) with over 16 years of expertise in operating CAs in large markets. emSign is headquartered in Salt Lake City, Utah and Bangalore, India

With offices in 10 countries and clients across 30+ nations, eMudhra delivers cutting-edge digital trust solutions to secure online communications and transactions.

Key Highlights:

1. Comprehensive Digital Certificate Offerings:

• SSL/TLS Certificates: Secure websites with robust encryption.

User can login to the CERTInext portal with Digital Certificate.

To add the certificate, navigate to My Profile > Add Certificate.

Add Certificate

Digital Certificate can be added in two ways, Upload from system or Read from Store.

• Upload: User can upload only certificates of the format .cer.

Note: Files other than .cer extension cannot be uploaded and used for authentication and login.

• Read from Store: The security certificates installed in the browser are listed and user can select and add the certificate.

Change Certificate

Users can change the certificate for login with a different one with same steps as above.

Reseller/Enterprise/Retail users can create new request under New Request. Account users can create a new request, manage requests and track expiring certificates which are going to expiry in a specific time range.

Effective key management is crucial for maintaining data security and compliance in today's digital landscape. CERTInext offers robust key management solutions tailored to various organizational needs.

To enhance account security, the platform offers the option to enable Two-Factor Authentication (2FA) via T-OTP (Time-Based One-Time Password).

Enabling 2FA

• Check the box for "Enforce 2FA via T-OTP authentication mode" in the Account Configuration settings.

• Note that enabling 2FA is optional and can be configured by the administrator based on company policy.

What Happens After Enabling

Once enabled, users will need to configure T-OTP during their first login by:

• Scanning the provided barcode .

• Entering the generated OTP.

T-OTP authentication will then apply to all users associated with the account.

This feature ensures an added layer of security for platform access.

IP Restrictions

The IP Restrictions feature enables administrators to restrict access to business data by specifying a range of authorized IP addresses. This ensures secure and controlled access to sensitive information.

Configure IP Restrictions

Select a User: Choose the user for whom the restriction will apply. Alternatively, you can apply the restriction to all users.

Enter Allowed IP Range:

• Specify the Allowed IP Start Address.

• Specify the Allowed IP End Address.

Add Description (Optional): Provide a description for the IP restriction for easy identification.

This feature enhances security by ensuring that only authorized IP addresses can access your business data.

A created IP Restriction Rule can be disabled at any time by the administrator, providing flexibility to adjust access controls as needed.

Trust is the backbone of every secure digital interaction—whether you’re making an online purchase, signing a contract electronically, or sending confidential data. In the context of Public Key Infrastructure (PKI), “trust” refers to the confidence placed in a Certificate Authority (CA) to accurately verify identities and issue digital certificates that prove the legitimacy of websites, applications, documents, and other online entities. This confidence is shared across browsers, operating systems, and software applications worldwide, ensuring that any certificate issued by a reputable CA is recognised as trustworthy.

The Role of emSign as a Global CA

As a global CA, emSign’s primary responsibility is to maintain and strengthen this trust through stringent validation processes, robust security practices, and ongoing compliance with industry standards such as the CA/Browser Forum Baseline Requirements and WebTrust/ETSI audits. When emSign issues a digital certificate, the recipient gains the advantage of a verifiable chain of trust that links the certificate back to emSign’s root certificate embedded in trusted root stores. These root stores are curated by browsers, operating systems, and device manufacturers, ensuring that any certificate stemming from emSign is automatically accepted by end users’ systems around the globe.

In an interconnected world, security underpins the trust and reliability of digital communications. Ensuring that your data, transactions, and interactions remain confidential and tamper-proof is pivotal to conducting business online. For Certificate Authorities (CAs), this means following strict protocols and safeguarding the entire certificate issuance process so that end users and organizations can operate in an environment free from the risks of fraud, impersonation, and cyberattacks.

emSign’s primary focus is to enable secure digital experiences by issuing high-assurance certificates. These certificates verify the identities of individuals, organizations, and even machines, ensuring that each entity is who it claims to be. eMudhra is committed to maintaining the highest standards of security and compliance to meet the evolving needs of our clients. We are compliant with industry-leading frameworks, which include:

• WebTrust for CAs (Certificate Authorities):

  The audit checks if the CA's operations meet the standards set forth in its Certificate Policy and Certification Practice Statement. This is crucial for ensuring the security of digital certificates, which are used for encrypting communications and verifying identities online.

Ideal for: Customers using the online platform for personal or business certificate needs.

Any customer placing orders in emSign.com is considered as Retail customer.

Retail accounts provide similar functionality to enterprise accounts, giving users access to the following:

• Portal Access: Manage certificates, domains, and organizations through a user-friendly interface.

• API Integration: Utilize REST and ACME APIs for key management.

Applicable only for SSL OV & EV Certificate orders

To download any Interim DV Certificate, navigate to the order: Go to Certificates > Orders > View order

Click on the of "Download Interim DV" which displays a a modal with all the necessary information.

In the modal, click on "Download interim DV" button to download the certificate.

CERTInext is a unified platform that is part of emSign’s offerings for seamless digital certificate management, catering to enterprises, resellers, and individuals. It simplifies certificate lifecycle management with features like issuance, renewal, discovery, and monitoring. Key highlights include:

• Certificate Management: Real-time insights, automated lifecycle handling, and pre-validation for instant issuance.

• Automation & Integration: Supports ACME automation, REST APIs, and Bots for efficient large-scale operations.

• Enterprise Features: Private PKI, role-based access, detailed reporting, and departmental management.

Reseller / Enterprise Sign up & Sign in flow

In this section

• Enterprise Sign up

• Reseller Sign up

• Multi-account Association

The Product Price List Report provides a summary view of product prices, helping users easily access and review pricing information.

Navigate to Billing & Payments > Product Price List.

Click on the Product Price List to open the page where all product prices will be displayed.

Account users can also

• Filter by Product: Use the Product filter to view prices for specific products.

To download the certificate, Navigate to the order, Certificates > Orders > View order page.

Click the "Download Certificate" button and the, certificate will be downloaded.

The Sales Summary Report provides an overview of product pricing information in a summarized format.

To view the Product Sales Summary, navigate to Reports > Sales Summary. The Product Sales Summary page will then be displayed, as illustrated below.

Users can filter the Sales Summary by selecting the "Product" option, enabling a focused view of the desired product's pricing and sales details.

By clicking the "Excel" button located in the top-right corner of the page, the Product Sales Summary Report will be downloaded in Excel format, based on the selected search criteria.

Account users can generate an API access key to use it for authentication purpose while making API calls.

RESTful services designed for scale, flexibility & ease of integration. emSign Interface-less APIs enables access to key functionalities offered on emSign product that can be consumed by your application. Our API's are built on REST and therefore interoperable with any existing web application framework that supports REST based API calls.

emSign's ACME service is meticulously crafted to simplify the automation of SSL/TLS processes, mitigating the complexity and effort associated with managing numerous certificates within an enterprise. With organizations juggling a multitude of certificates, each demanding significant time and effort, ACME proves invaluable by completely automating the essential procedures needed to oversee SSL/TLS certificates across all endpoints in your organization.

In this section

• REST APIs

• To replace the CSR, navigate to Certificates > Orders > View order

• Clicking the "Replace CSR" button will open a modal window, allowing you to upload the new CSR as shown below.

• After the CSR is updated, click the "Update" button to apply the changes.

• To Submit the CSR, navigate to Certificates > Orders > View order page.

• Clicking the "Submit CSR" button will open a modal window, allowing you to upload the CSR, as illustrated below

• After uploading the new CSR, click the “Update” button to finalize the submission.

Upon successfully running the bot, all certificates discovered by the bot will be displayed in the system for review and further action

Users can also View or Download certificates from the action buttons.

All keys created through the Key Store or Manage Key functions are displayed on the Key Report page for tracking and management purposes.

• Group Selection:

  • If multiple groups are configured by an organization, the same is available under New Certificate > New Request > For with a drop down containing the list of groups. The account user will have the option to select the desired group from this list.

• Payment Deduction:

  • Upon placing the order, the amount will be deducted from the selected group.

Templates are predefined structures or configurations used for simplifying processes such as generating certificates, configuring servers, or automating SSL/TLS settings.

Overview

The Automated Certificate Management Environment (ACME) protocol enables automated issuance, renewal, and revocation of SSL/TLS certificates, streamlining certificate lifecycle management. eMudhra’s CERTInext platform supports ACME clients to integrate with web servers, cloud services, and load balancers, ensuring secure and efficient certificate management. This article explores how to use ACME clients with CERTInext, drawing on industry-standard practices and recent advancements in automation.

Why Use ACME Clients?

ACME clients simplify certificate management by automating interactions with Certificate Authorities (CAs) like eMudhra. Benefits include:

• Automation: Eliminates manual certificate tasks, reducing errors.

• Scalability: Supports high-volume certificate deployments across diverse environments.

• Compliance: Ensures certificates meet CA/Browser Forum (CABF) requirements.

• Efficiency: Minimizes downtime with seamless renewals, critical for high-traffic systems.

Supported ACME Clients

CERTInext is compatible with popular ACME clients, including:

• Certbot: Widely used for web servers like Apache and Nginx, offering simple setup and renewal automation.

• acme.sh: A lightweight, shell-based client ideal for Linux environments and custom integrations.

• Win-ACME: Designed for Windows IIS, integrating with the Windows Certificate Store.

• Caddy: A web server with built-in ACME support for automatic HTTPS.

Setting Up an ACME Client with CERTInext

1. Install the Client: Install your chosen ACME client (e.g., sudo apt install certbot for Certbot on Ubuntu).

2. Configure CERTInext: Register with eMudhra’s ACME server via the CERTInext dashboard, obtaining an External Account Binding (EAB) key if required.

3. Issue Certificates: Run a command like certbot certonly --standalone -d example.com or acme.sh --issue -d example.com --webroot /var/www/html to request a certificate, specifying CERTInext’s ACME endpoint (e.g., ).

Best Practices

• Secure EAB Keys: Store EAB keys securely to prevent unauthorized access.

• Monitor Renewals: Use CERTInext’s dashboard to track certificate status and renewal failures.

• Test Configurations: Validate ACME workflows in a staging environment to avoid disruptions.

• Leverage HTTP-01 or DNS-01: Choose HTTP-01 for web servers or DNS-01 for wildcard certificates, depending on your needs.

Conclusion

ACME clients, combined with CERTInext, enable automated, secure, and scalable certificate management. By integrating clients like Certbot or acme.sh, organizations can streamline SSL/TLS operations.

emSign SSL Subscription plan allows you to pay for a single price for up to three years of SSL/TLS certificate coverage for DV & OV products. With a Multi-year Plan, you select the SSL/TLS certificate, desired coverage period, and certificate validity. Until the subscription plan expires, you reissue your certificate at no additional cost either through manual or Auto approval based on your selected configuration.

Step-by-Step Ordering Process

Certificates > New Request.

• To order a subscription plan, navigate to:

Choose Product & Validity

1. Choose Your SSL/TLS Product

   • Select either DV or OV product from the subscription plan.

2. Fill in the Required Details:

• For OV certificates: Provide Organization Details (e.g., Organization Name, Unit, Country).

• For both DV and OV certificates: Enter the Certificate Requestor or Organization Representative Information (e.g., Name, Email ID, Mobile Number, etc.).

1. Upload, Attach, or Skip the CSR:

• You can either upload, paste, or skip the Certificate Signing Request (CSR).

• Skipping CSR: You can submit it later using Order Quick Actions.

1. Provide Certificate Information:

Enter the SAN Name and any additional information required.

1. Additional Information (Optional):

Add Reporting Tags, Order Remarks, Technical POC details, Custom Fields, and Auto-renewal options.

1. Proceed to Payment:

Complete the payment process for your selected SSL/TLS DV or OV product.

Choose Product & Validity

• To order a subscription plan, navigate to: Certificates > New Request.

• From the Products Dropdown List, select the emSign DV /OV product.

  • In the "Subscription For" field, choose the coverage duration:

  • 1 Year, 2 Years, or 3 Years.

Subscription Plan coverage for SSL Products

Auto-Renew Certificates Until Coverage:

Enable the "Auto-renew certificates until coverage" checkbox to configure automatic renewal.

• If enabled, emSign will automatically renew the certificate based on the selected criteria.

• A successful reissuance notification email will be sent upon renewal.

• If disabled, manual reissuance will be required before the certificate expires.

You can modify the auto-renewal settings later from the Orders View page after the order ID is generated.

Managing Orders and Subscription

View Orders and Subscription Details:

• Once the order is placed, the Orders View page will display the SSL subscription details.

• You can also modify the auto-renewal configuration from this section.

Certificate Management:

• After downloading the certificate, the account user can:

• Reissue the certificate as needed.

• Add or Remove SANs based on changing requirements.

To initiate Reissue Certificate Navigate to the order by, Certificates > Orders > View order page > Reissue Certificate.

• The downloaded certificates can be Reissued by selecting the "Reissue Certificate" button is available in order quick action as shown below.

• Upon clicking "Reissue Certificate" a modal will appear with all the necessary information as shown below.

• To Reissue the certificate, the account user must provide a reason from the pre-defined options.

Certificate Signing Request (CSR)

• User can either upload the CSR file or paste the CSR or can choose to Skip the CSR as shown below.

• Upon clicking on the "Request reissue" button, the system will generate a re-issuance order ID. All re-issued certificates can be tracked as shown below.

What's Next?

Certificate requester / Organization representative will be notified with-

1. An order confirmation email

2. All the order related communications

3. Required actions specific to the product

Attested CSR can be generated using HSM via emSign Click Tool.

Step 1: Open emSign Click Tool.

Step 2: Click "Tools" from the menu. Step 3: Click "Generate CSR for HSM".

Step 4: Please follow the help section to generate your CSR.

Step 5: Proceed to enter the mandatory details and click "Generate CSR". Note: emSign Click Tool supports the below HSM Providers.

• ncipher HSMs

• Safenet Luna HSMs

• Utimaco HSMs

Step 6: Please click Copy CSR / Save CSR to save the CSR in your computer.

Step 7: Private Key stored successfully in the HSM.

Step 8: Submit the CSR to emSign via Portal / API accordingly.

User can view the key details along with the status of the keys generated. Navigate to Keys > Manage Keys

View Key History

In the Manage Keys table, under Actions, click on the View History icon.

A popup appears displaying key details such as Alias Name, Key Type, Signature Algorithm, Created By, and Key Algorithm.

Download a Key

Click the Download Key icon under Actions to download the key to your system.

Rotate a Key

Click the Rotate Key icon.

The key will be rotated, and its Alias Name will update accordingly.

Delete a Key

Select the Delete Key icon under Actions.

Confirm deletion in the popup to remove the key.

Create a New Key

Navigate to Keys> Manage Key and click on the “+” icon on the top right corner

Select either Symmetric or Asymmetric Key type from the drop down

Enter further information regarding the key to be created.

Once done, click on “Create Key Pairs” button to finish the process. The new pair gets created.

• User can manage or create new REST API under this page.

• To create a new REST API, user need to click on "Add" button, a modal will be displayed.

• Enter description & select the user for which you wanted to generate the access key, then click on "Generate Access Key" button to proceed further.

• Upon submitting the request an access key will be generated by the system as shown below.

If a reseller wants to place an order on behalf of the customer, it can be done in two ways

1. Organizations pre-verified and mapped under the reseller

Access the Pre-Verified List:

• In the Organization Details section, click the "Click here" button.

• A list of pre-verified organizations will be displayed.

• Select the appropriate organization from the list to proceed with the certificate request.

2. Organizations not mapped to the reseller

Search for External Organizations:

• If the reseller wishes to use an organization mapped to another account, click the "Search External Organization" link.

• This will prompt the user to enter the representative’s email ID.

Select External Organizations:

• After entering the representative’s email ID, a list of available organizations will be displayed.

• Select the desired organization and proceed with the certificate request.

Switching Organization Views

• If the user wants to switch back to the default organization view, click the "Switch to default view" link.

What’s Next?

1. Consent Email for External Organization:

   • Once the order is placed, a consent email will be sent to the external organization’s representative email ID.

   • The external representative must accept the organization reuse request.

2. Verification Status Update:

CA connectors (Certification Authority connectors) are software or middleware components that allow systems, applications, or services to integrate with Certification Authorities (CAs) for the management and automation of digital certificates within an organization's IT infrastructure.

CERTInext has provision to create the following CA connectors:

• emCA

• Microsoft PKI

• DigiCert

emCA

To create emCA credential, required fields are:

• Name:

• Base URL:

• By default, its Common Connector

• Username:

Fill in all the details and click on ‘Create’ button.

Microsoft PKI

To create Microsoft PKI credential, the required fields are:

• Name:

• Base URL:

• By default, its Common Connector

• CA Setup Type: Select the type as Standalone CA or Enterprise CA

Fill in all the details and click on ‘Create’ button.

DigiCert

To create DigiCert credential, the required fields are

• Name:

• DigiCert API Base URL:

• DigiCert API Key:

• Server Platform ID:

Fill in all the details and click on ‘Proceed’ button.

emSign S/MIME Mailbox Validated certificates provide "reasonable assurance" to both senders and recipients that the individual identified in the certificate has control over the associated email address.

Below are the steps to order an S/MIME - Simple - Mailbox Validated - Strict certificate.

Step-by-Step Ordering Process

1. Choose Your S/MIME Product and Validity

• Navigate to Certificates > New Request.

• From the Product Dropdown List, select S/MIME - Simple.

• Choose the validity period and click "Next" to proceed.

1. Certificate Requester Information

• Enter the following details:

• Name

• Email ID

• Mobile Number

1. Certificate Information

• Enter the Email ID for which the certificate will be issued.

• Alternatively, select "Same as Requester Email ID" to auto-fill the requester’s email ID.

• Click "Next" to proceed.

1. Certificate Signing Request (CSR)

Refer to the SSL/TLS DV Certificate Ordering Flow for CSR submission options. Users can:

• Upload or Paste the CSR.

• Skip CSR and submit it later using the Order Quick Actions feature.

1. Additional Information (Optional)

• Provide any Reporting Tags, Order Remarks, or KYC Documents if applicable.

• Custom fields may also appear here if configured by the account administrator.

1. Order Summary & Payment

• Review the order details and product information.

• Proceed with the payment for the S/MIME certificate.

• For detailed payment instructions, refer to the SSL/TLS DV Certificate Ordering Flow.

What’s Next?

• After successfully placing the order, the certificate requester will receive an Order Confirmation Email.

• The email will contain a tracking link to monitor the progress of the certificate verification and issuance process.

When a certificate is rotated, a new certificate is issued, and a corresponding new key is generated. This newly generated key is then listed on the Key Store Report page for easy reference and tracking.

• Order Placement: Upon clicking the "Submit" button on the order Summary & Payment page, the request will appear on the Orders page, with the status "Order Pending for Approval".

• Administrator Action: Once the order is listed, the administrator can either approve or reject the request from the Orders page, as shown below.

• Rejecting an Order:

  • Upon clicking the "Reject" button, the reason for rejection must be entered in the rejection field.

  • Click on “Reject” to finalize the rejection.

• Approving an Order:

  • Upon clicking the "Approve" button, the system navigates to New Request > Order Summary & Payment Page

  • The account user must click "Pay now" to submit the request and generate the Order ID.

• Order Completion: Once the payment is successful, the system redirects to the orders page with all the necessary information and associated Order actions as shown below.

Administrator approval is required only when the order is placed by a Standard User or Basic User places an order.

• If the reseller wants to place an order on behalf of the Enterprise account an option is available at the new request level.

• If the reseller checks that check box, all the Enterprise accounts will be displayed which are been part of the parent reseller account.

• Upon selecting the account reseller can place an order & amount will be deducted from the default group of the Enterprise account.

Important Note:

• This option will be available only for parent reseller accounts.

Additional Information

This section is optional. Here, the account user can:

• Add Reporting Tags

• Provide Order Remarks

• Enter Technical Point of Contact (POC) details (if required)

Additional Email Recipients for Notifications

• A new option, "Additional Email Recipients," is available for notification purposes.

• To include additional recipients, enable the "Additional Email Recipients" checkbox and enter the corresponding email IDs.

• Note:

Additional email recipients will receive the following notifications:

• Order Confirmation, Revocation, and Renewal Reminder Notifications (excluding specific verification-related notifications).

• Order Successful / Tracking Link Email Notifications

• CSR-Related Email Notifications

• Certificate Download Email Notifications

Updating Additional Email Recipients

• Additional Email Recipients can be edited after the order has been generated via the Orders View Page.

• For all future notifications, the updated recipients will receive relevant emails accordingly.

• Click "Next" to proceed.

To Key Profiles, Go to menu > Keys > Keys store, add Key Store File, Key Store Password

On this page, you can create and manage reporting tags that help categorize and filter certificates, orders, and other records. Use these tags to generate more specific reports and gain insights into particular aspects of your business. Example: If you're tracking certificates by department, you could create tags like "Finance," "HR," and "IT" to quickly filter and report on certificates that belong to these departments.

Create a Reporting Tag

Click on “+” button on the right-side top corner to create a New Tag.

Enter the Tag Name and Tag Value.

Click on Save button to complete the process.

Mozilla’s Root Store Policy v3.0 reinforces a crucial aspect of Certificate Authority operations: being prepared for mass certificate revocation. While such events are rare, the scale of potential disruption means that both CAs and relying parties need clear strategies for continuity. At emSign CA, operated by eMudhra, we see this as a chance not only to comply with requirements but to strengthen the trust fabric of the internet.

Why This Matters

Revocation events—whether triggered by a systemic vulnerability, mis-issuance, or key compromise—can invalidate thousands of certificates in a short span. If not managed effectively, this may cause service outages, broken user experiences, and diminished confidence in secure communications. Preparedness ensures that organizations remain resilient when digital trust is most at risk.

CERTInext platform provides seamless access to wide range of features designed to streamline certificate management and enhance digital security. Access CERTInext portal

• Dashboard: Gain real-time insights through comprehensive dashboard, offering key statistics such as account status, pending domain and organization approvals, certificate status, and expiring certificates. The dashboard also provides detailed reports on bot performance, endpoint security, and key management statistics, all displayed through intuitive charts.

• Certificates: Manage your SSL/TLS certificates, request new ones, and monitor expiration dates to ensure continuous protection.

Certificate Expiry Message

Administrators can configure a certificate renewal message to be displayed for all certificate orders. Follow these steps:

• Navigate to Settings > Account Configuration.

• Enter the desired message under 'Account-wide certificate renewal message'.

The “Renew Certificate” button will be available 60 days before the certificate expiry.

• To renew certificate, Navigate to the order, Certificates > Orders > View order page.

• Click "Renew Certificate" button and the system will navigate to the New Request page to initiate the renewal process.

• To initiate Add/remove SANs, Navigate to the order Certificates > Orders > View order page > Add/Remove SANs.

• The downloaded certificates can have SANs added or removed by clicking the"Add / Remove SANs" button available under Order Quick Action as shown below.

• Clicking "Add/Remove SANs" will display a modal with all the necessary information as shown below.

User can manage or create new ACME API under this page.

• To create a new ACME API, user need to click on "Add" button, a modal will be displayed.

• Enter description, user, select the group for which you wanted to generate the key ID & Mac Key, select the product, add tags (optional), then click on "Generate EAB Credentials" button to proceed further

• To revoke an issued certificate, Navigate to the order, Certificates > Orders > View order page.

  • To revoke a downloaded certificate, click the "Revoke Certificate" button under Order Action.

  • On click of "Revoke Certificate" a modal will appears shown below.

To create a new custom private product, go to Certificates> Products. By default, both public & private tabs will be displayed.

• Private: Displays a list of default private PKI products along with private products created by the account user.

• Public: Displays all the default emSign public products mapped to the account.

Note: Account users won’t have a provision to add the new public product.

Creating a New Private PKI Product

Purpose of Custom Fields:

• This form allows you to specify or enter values for each active custom field available in your emSign account.

• These custom fields will be displayed under the Additional Information section of the order form.

Administrator-Enforced Fields:

• This tool is used to download the certificate in a soft Token (or) USB Token.

• The eMudhra emSign Click Tool can be downloaded in this Page - This tool can be downloaded in Windows 7, Ubuntu, MAC operating systems.

• Click the Download button provided or copy the link and paste it in the address bar to use the tool and generate the certificate as shown below.

The tool gets downloaded in the system. Upon clicking the tool will be displayed in a modal.

The Statement page provides a detailed view of your financial transactions within emSign, displaying credits, debits, and outstanding balances. This page helps you monitor your account’s financial health and keep track of all payments to ensure they are current.

Users can view ledger statements for both main and sub-accounts, with a full display of credit, debit, and current balance. The page also allows-

Search and Filter

• Click on the Search button to access the Group Name filter.

• Use this filter to display data specific to a particular group.

The Invoices page provides a comprehensive list of all generated invoices for your certificate orders and services. From this page, you can download, review, and pay invoices, making it easy to track your organization's billing and payments.

CERTInext support monthly generation of invoices for certificate services, tracking usage, and subscription charges over the course of the month. This feature is based on permission provided in emSign backoffice.

Download Invoice

Via the Certificates Section

• Navigate to Certificates > Orders.

The Orders Report provides a comprehensive view of all order-related information across your account. To access the Orders Report, navigate to Reports > Orders Report.

Upon selecting Orders Report, the page will display a detailed list of all orders, including data from your account as well as any associated sub-accounts. This report ensures that all order data is easily accessible for tracking and analysis.

Filtering and Exporting Order Data

Users can filter data by selecting the "Order ID" option to refine search results effectively.

Here we can see the Overall Statistics of the system

Endpoints

• Scanned Endpoints - No. of scanned Certificates scanned from Bot

• Protected Endpoints- Number of Endpoints protected with a certificate

• Unprotected Endpoints- Number of Endpoints not protected with a certificate

This page is used to create and manage CSR (Certificate Signing Request) templates. Enter the required details like signature algorithms and key sizes and configure the subject DN details to simplify the CSR generation process for your organization.

Create CSR Templates

Step 1:

• To create custom CSR template, unique Template name to be provided.

• The Signature Algorithm, Key Algorithm, Key Size to be selected from the dropdown list.

Step 2:

The eMudhra Certificate Utility Tool is designed to simplify certificate-related processes, such as generating CSRs (Certificate Signing Requests), importing, and exporting certificates in various formats.

CSR Generation

Download the eMudhra Certificate Utility Tool from this page by clicking the "Download" button or copying the link into your browser's address bar.

After downloading, open the tool to access the CSR Generator section.

Enter the required details:

• Common Name

To streamline approval processes, the EV Request Approvals feature is accessible within the CERTInext platform under:

Organizations > EV Request Approvals.

This feature simplifies the approval workflow by allowing in-platform approvals, complementing email notifications. The Certificate Approver must be an authorized user within their enterprise account to access and approve EV certificate requests.

• To View the SSL EV Certificate request, Organizations > EV Request Approvals. This helps to simplify approval processes with our new in-platform approval feature, complementing email notifications. To access this feature, Certificate Approver should be an account user within their enterprise account.

• Certificate approver can use the “Order ID” filter to quickly locate specific EV certificate requests.

The Manage Schedules section provides a consolidated view of all scheduled, executed, and disabled tasks.

Scheduled Tasks: All active schedules are displayed in the list.

Executed Schedules:

If a certificate schedule has been executed, the corresponding details are displayed in this section.

Executed schedules cannot be disabled.

Disabled Schedules:

If a certificate has not been executed, the schedule can be disabled by the user.

Create Schedule

Users can create and execute schedules for managing certificates. Navigate to

Unlike Domain Validated (DV) certificates, OV certificates require the certificate request to undergo organization verification process to confirm the identity and legitimacy of their organization.

• Validation Process: Validation of the organization's identity, including legal registration and domain ownership.

• Issuance Time: Longer issuance time compared to DV, but shorter than EV. Typically, issuance in Hours. For exceptional cases, issuance would take 1-5 Business days.

Process Involved:

Add Credits

emSign CERTInext offers two modes of payment to add credits: Online Payment & Offline Payment.

To add credits to your account, navigate to Billing & Payments> Add Credits.

Online Payment

Upon selecting online Payment, the current account balance is displayed at the top.

• Enter the Amount to be credited, then click the Pay button

The Audit Logs page provides a detailed activity list, displaying information such as module activity, timestamps, and usernames for all account activities.

By default, the last 10 audit logs are displayed for quick reference.

Comprehensive activity tracking ensures accountability and transparency.

Consent management refers to the process of obtaining, recording, and managing user consent for data collection, processing, and sharing activities. It's especially relevant in the context of privacy regulations like the GDPR (General Data Protection Regulation) in the EU, CCPA (California Consumer Privacy Act) in California, and similar laws in other regions.

Scan URL: Scanning URLs involves analyzing a website's pages to detect and assess its data collection practices. This helps identify cookies, trackers, and other methods of collecting personal information.

Create Cookies with Category and Type: When setting up cookies on a website, classify them into categories based on their function.

Create and Manage Consent Banners: Consent banners are pop-ups or notifications displayed on websites to inform users about data collection practices and ask for their consent. Users can provide options to accept or manage cookie preferences and also have the option to reject cookies or customize their choices. Consent banners can be customizable to suit different regions and laws.

DSAR (Data Subject Access Request): A Data Subject Access Request (DSAR) is a formal request made by an individual (the "data subject") under privacy laws like the GDPR (General Data Protection Regulation) or CCPA (California Consumer Privacy Act), allowing them to request information about the personal data an organization holds on them. This is part of an individual’s right to transparency and control over their personal data.

Partner Accounts

Ideal for: SSL providers, web hosting companies, cloud service providers, and other resellers of digital certificates.

Partner accounts offer comprehensive access to the CERTInext portal, enabling resellers to efficiently manage their operations and sub-accounts. Key features include:

• Group Management: Add, manage, edit, and allocate funds to groups.

• User Management: Add, manage, invite, and approve users and user invitations.

• Organization & Domain Management: Manage organizations, domain settings, and pre-approve pending orders from sub-accounts.

• Sub-Account Management: Create and manage sub-accounts, set customized price lists for sub-accounts, and monitor activities.

• Certificate Management: Issue, renew, and manage public and private certificates; monitor expiring certificates; and generate API keys for REST and ACME integrations.

• Finance and Billing: Allocate funds, manage account finances, and access audit logs.

• Product Customization: Develop customized products and create public/private CAs for tailored certificate solutions.

• Tools & Reports: Access detailed reports, tools, and notifications regarding groups and self-orders for enhanced operational efficiency.

• Notifications: Receive alerts on pending self-orders and other group-related activities.

• Profile and Billing Management: Update profile information, manage billing details, and access account settings.

Navigating to the Sign-Up Page: Open the URL and click on button

Upon clicking the "Sign Up" link on the home screen, users will be redirected to the "Sign up as a Partner" page.

Entering User Information:

The user must provide the following details:

• Your Name

• Your Email ID

• Mobile Number

• Organization Name

Accepting Terms and Conditions:

• Users must accept the terms and conditions by selecting the checkbox.

• Click the "Sign Up" button to proceed.

Account Approval Process:

• After submitting the sign-up form, the partner account will undergo an approval process by emSign.

Account Confirmation Notification:

• Upon submission, an account confirmation email will be sent to the user, containing relevant information about the registration and next steps.

Account Activation Process:

• Once the reseller account is approved, an account activation email will be sent to the registered email ID.

Activating the Account:

• Users must click the activation link in the email to access the "Activate Your Account" page.

Setting a Password:

• On the "Activate Your Account" page, users will be prompted to create a password according to the provided instructions.

Password Generation and Update:

• After entering the password, click the "Generate Password" button to finalize the process.

• The password will be updated, and the partner account will be activated and ready for use.

Procedure for installing Certificate in HSM

• This tool is used to download the certificate in a soft Token (or) USB Token.

• The eMudhra emSign Click Tool can be downloaded in this Page.

• This tool can be downloaded in Windows 7, Ubuntu, MAC operating systems.

• Click the Download button provided or copy the link and paste it in the address bar to use the tool and generate the certificate as shown below.

• The tool gets downloaded in the system. Upon clicking the tool will be displayed in a modal.

Step: 1 (Open emSign Click Tool)

Step: 2 (Please enter "Order ID" and its associated "Download PIN". Click on "Confirm") Note: Once the certificate is ready for download, Download PIN will be shared to the respective certificate requester's Email ID.

Step: 3 (Certificate Requester will be redirected to "Download" tab as shown below) For an example, Select "Utimaco HSMs" from the dropdown list of Cryptographic Service Provider

Step: 4 (On click of "Agree & Download", system will prompt to provide "Library Path", "Slot ID" and "Normal User Pin" associated with the selected HSM provider for certificate download.)

Step: 5 (Login to your HSM service provider. In your HSM provider application, Slot management / Configuration setup should be made as shown below.)

Step: 6 (Initiate HSM services as shown below.)

Step: 7 (Once the HSM services are successfully initialized, detailed information (Status, etc.) can be viewed as shown below.)

Step: 8 (Certificate will be downloaded successfully as shown below.)

Step: 9 (Certificate installed successfully in HSM )

Key profiles refer to the specifications and attributes associated with cryptographic keys used in SSL/TLS certificates. They help determine how keys are generated, managed, and utilized in various security protocols.

To create Key Profiles, Navigate to Keys > Key Profiles

Create a key profile

To create a new Key profile, click on "+" icon. Screen will navigate to the create key profile screen as shown below.

Create a HSM Key Profile

To create a Key profile for HSM, enter the following details

• Profile Name

• Select Profile Type as HSM from the dropdown

• HSM Configuration Type

• HSM configuration by importing file

Click on Save button to complete the process.

Create a PCKS12 Key profile

To create a PKCS12 Key profile, enter the following details

• Profile Name

• Profile Type- Select PKCS 12 from the drop down

• Select Configuration-

  • Select Import to load PKCS 12 configuration from an existing file

Click Save to generate the Key profile

Disable a key profile

To disable a Key Profile, Navigate to Keys > Key Profiles

All the active Key Profiles will be displayed, and the User can Disable the key Profile from the Action buttons

A pop-up is displayed asking the User to confirm

Edit the HSM password in key profiles

To edit HSM password on an existing Key profile, Navigate to Keys> Manage Keys

Click on Edit from the action buttons which displays a modal allowing users to edit the password.

Users can view or edit existing requests on the Orders page. By default, the last 10 request/orders are displayed, as shown below.

By clicking 'Advanced Search,' the account user can further filter requests using criteria such as:

• Date Range

• Domain Name

The Domains Management section is designed to provide a centralized platform for managing all domains, monitoring their status, and handling Domain Control Validation (DCV) processes to ensure streamlined and secure domain verification.

Benefits of Domains Management

Enhanced Control and Visibility:

• Enhanced Control and Visibility:

Organizations Management Overview

The Organizations Management section serves as the central hub for monitoring, managing, and maintaining information related to all organizations created within the system. It not only lists organizations with their statuses but also provides tools to update information, track key representatives, and manage approval workflows such as Extended Validation (EV) requests.

This section ensures seamless governance by enabling administrators to keep organization records accurate and updated, making it easier to oversee operations and compliance.

Features and Functionalities of Organizations Management

Comprehensive Organization Listing

A root store is a repository of trusted root certificates used by operating systems, browsers, and other software applications to verify the authenticity of digital certificates. When a Certificate Authority (CA) is included in these root stores, any certificate they issue will be trusted by default on devices and browsers that use those stores. This is a cornerstone of Public Key Infrastructure (PKI), as it ensures that users and organizations can confidently navigate the internet, knowing that their digital connections and documents are backed by verified credentials.

As a global CA, emSign maintains its presence in multiple widely used root stores, ensuring that digital certificates issued by emSign are recognized and trusted by billions of devices worldwide. Below is an overview of emSign’s current root store inclusions and the significance of each program.

Major Root Store Programs

1. Microsoft Trusted Root Program

Enterprise Accounts

Ideal for: Large organizations and enterprises managing their own certificate infrastructure.

Enterprise accounts provide many of the same capabilities as reseller accounts, with a few limitations to align with internal enterprise needs. Key features include:

• Full Portal Access: Manage certificates, users, domains, and organizations directly through the portal.

• Group and Fund Management: Create, edit, and manage groups, and allocate funds to streamline operations.

This page is used to create configuration templates for certificates. These templates define the necessary attributes and settings for certificate generation, such as the CSR template, key pair types, and deployment methods.

Create provisioning templates

Step 1:

• In Certificate Information tab, enter the unique Template Name.

• Select the Origin of the Certificate configuration from the dropdown menu.

Unlike Domain Validated (DV) & Organization Validated (OV) certificates, EV certificates requires a more extensive validation process than that of Domain Validation and Organization Validation SSL certificates to confirm the identity and legitimacy of the organization that owns and operates the website

• Validation Process: Rigorous validation process including legal identity, physical presence, operational existence, and domain ownership verification.

• Issuance Time: Longer issuance time due to the rigorous validation process. Typically, issuance would take 1-5 Business days.

Process Involved:

Multifactor Authentication and Single Sign On

Role-based access control

The emSign CERTInext platform offers six roles, each designed to address specific responsibilities and access requirements within the system:

• Administrator

• Manager

• Finance Manager

• Standard User

• Basic User

• Discovery User

Administrator

The Administrator role provides full access to the platform, enabling comprehensive management of users, groups, organizations, and financial operations. This role is intended for system overseers responsible for administrative and operational tasks.

Key Access Controls

Full portal access, including the Dashboard.

Manage:

• Certificates (requests, orders, expiring certificates).

• Organizations, domains, groups, and users.

• Private and public Certificate Authorities (CAs) and products.

• Sub-accounts and price lists for sub-accounts.

Access to:

• REST and ACME APIs.

• Financial features.

• Audit logs and tools.

• Reports and account settings.

Create user invitations and assign roles.

Manager

The Manager role focuses on overseeing groups, users, and orders while managing sub-accounts and associated group features. This role excludes full administrative and financial permissions.

Key Access Controls

Dashboard access (billing alerts, low credit alerts, and self-orders tracking).

Manage:

• Organizations and domains.

• Groups (including credit allocation) and users.

• Private and public CAs and products.

• Sub-accounts and price lists for sub-accounts.

Access to:

• REST and ACME APIs.

• Financial features.

• Audit logs, reports, and tools.

Finance Manager

The Finance Manager role is tailored for managing financial operations, such as fund allocation, price lists, and finance-related features, without broader administrative control.

Key Access Controls

Dashboard access (billing alerts and self-orders tracking).

Manage:

• Groups (credit allocation) and users.

• Sub-accounts and price lists for sub-accounts.

• Private and public CAs and products.

Access to:

• REST and ACME APIs.

• Financial features.

• Audit logs, reports, and tools.

Standard User

The Standard User role allows for requesting certificates and accessing group orders. It includes broader access than the Basic User but lacks administrative permissions.

Key Access Controls

Dashboard access (billing alerts and self-orders tracking).

Manage:

• Private and public CAs.

Access to:

• REST and ACME APIs.

• Reports, tools, and profile settings.

Basic User

The Basic User role provides minimal permissions, focusing on personal tasks such as requesting certificates and managing profile information.

Key Access Controls

Dashboard access (billing alerts and self-orders tracking).

Access to:

• REST and ACME APIs.

• Reports, tools, and profile settings.

Discovery User

The Discovery User role is dedicated to users responsible for certificate discovery operations. This includes tasks such as key management, key store handling, and accessing discovery-related features.

Sub Account User

Sub Account User role is dedicated only to the Partners. Partner can create a user role as Sub Account User and assign them to a group.

Custom Roles

To create a Custom Role, go to Settings > Users> Custom Roles

The Custom Roles module offers administrators the ability to create highly customized user roles with detailed permission controls.

Key Features:

• Administrators can create user roles instead of using generic roles, they can design roles based on tasks, departments, or job functions.

• Granular Permission Control: administrators to define permissions at a very granular level. This includes controlling who can access particular features, data, and actions within the CERTInext platform.

• User Mapping: Administrators can assign users to the roles they create, mapping specific users to the appropriate role with the corresponding permissions.

Follow these steps to place an order for a DV SSL/TLS certificate through the CERTInext portal. The same process applies for DV Multi-domain (UCC), Wildcard, and Wildcard-UCC products.

Step-by-Step Certificate Ordering Process

1. Choose Product & Validity

• Select the product from the Product Dropdown List: Options include emSign SSL/TLS - DV, DV Wildcard, DV-UCC, or DV Wildcard-UCC.

• If a UCC product is selected, enter the number of domains to see the order value in real-time.

• All emSign SSL/TLS certificates are valid for 1 year by default.

• Click "Next" to proceed.

1. Certificate Requester Information

Enter the following details for the certificate requester to ensure all notifications are sent to the correct person:

• Requester Name

• Requester Email ID

• Mobile Number

• Designation

1. Upload or Paste Certificate Signing Request (CSR)

You can provide the CSR in either of the following ways:

• Upload CSR file.

• Paste CSR directly into the designated field.

• Note: The CSR helps auto-populate the Domain Name under the certificate details section. If skipped, the SAN (Subject Alternative Name) field will not be auto filled.

• You can also skip this step by selecting "Skip CSR

1. Certificate Details

• The Domain Name is auto populated based on the uploaded CSR.

• If no CSR is provided, or if additional domains are needed:

• Enter the domain name manually.

• Pre-verified domains associated with the selected group will appear in the dropdown list.

1. Additional Information (Optional)

• Reporting Tags: Add tags to map the request for easier tracking and filtering.

• Click "Add Tag" to provide the Tag Name and Tag Value, then click "Save" to proceed.

• Order Remarks: Add any relevant remarks for internal tracking.

1. Order Summary & Payment

• Review the product information, certificate details, and payment summary.

• The Payment Group from which funds will be deducted will be indicated.

• Account Balance: Displays the current balance alongside the total order value.

• For USD Payments: GST is not applicable.

1. Post-Order Actions

Edit Custom Fields:

• Custom fields associated with the order can be edited after the order is generated.

Update Additional Email Recipients:

• Add or modify additional email recipients even after the order is placed to ensure they receive important notifications

What’s Next?

• Upon successful order placement, the certificate requester will receive an Order Confirmation Email with a tracking link.

• Use the tracking link to monitor the certificate verification process step-by-step.

• Once the certificate is verified and issued, the requester can download and deploy it accordingly.

The emSign CERTInext platform allows you to incorporate custom fields in your certificate order form, streamlining record-keeping and enhancing order management efficiency.

Key Features

• Default Setting: The Custom Fields feature is turned off by default. To enable this feature for your account, please contact your account manager.

• Access for Administrators: Once enabled, the Custom Order Fields menu option becomes available under Settings > Custom Fields for Administrator users.

• Account-Specific Customization: These custom fields are unique and specific to your account.

Use Cases

Enterprises often require additional custom fields to capture specific information relevant to their operations. Below are some common examples:

• Project Codes: Record internal project codes in the order form to automatically associate them with the order.

• Cost Centre/Business Unit: Capture cost centre or department names (e.g., Technology) to link orders to specific business units.

• Internal Notes: Add internal request numbers, comments for order fulfillment, or special handling instructions.

• Owner/Sponsor Email ID:

By leveraging custom fields, enterprises can tailor the certificate ordering process to their unique needs, improving operational efficiency and ensuring better record management.

Adding a custom field

Follow the steps below to add a new custom field to your emSign account:

Access the Add Custom Field Option: Click on the "Add Custom Field (+)" option. The 'Add Custom Field' pop-up window will appear, as shown below.

Enter Field Details:

• Field/Label Name: Provide a name for the custom field.

• Field Description: Add a description to display as help text for the custom field (optional).

• Input Type: Select the input type from the drop-down menu. The subsequent required fields will depend on the selected input type.

Input Type Configurations:

• Text Box:

  • Max. Length: Specify the maximum allowed characters for the text field.

  • Field Specification: Choose from Alphabets, Integers, or Special Characters.

  • Field Presence: Mark the field as Optional or Mandatory.

Click on "Add Field" to save and add the custom field to your account.

View Custom Field

Click on the 'View' hyperlink in the grid to open the Custom Field Details page. On the Custom Field View page, Account Administrators can:

• Edit: Modify the custom field details as needed.

• Deactivate: Disable the custom field. Once deactivated, the field will no longer appear in the order forms.

An Intranet SSL certificate functions similarly to SSL certificates issued by public authorities but is specifically designed for private networks or internal sites. It secures data exchanges within private environments by encrypting the communication between client devices and server over HTTPS. This encryption ensures that even if unauthorized parties attempt to intercept the data, they cannot decipher it, safeguarding sensitive information and passwords exchanged within the internal network.

Key Features of Intranet SSL Certificates

Technical Specifications & Installation:

• Intranet SSL certificates share the same technical specifications and installation procedures as public SSL certificates. However, their usage differs.

Compliance with CA/B Forum Regulations:

emSign SSL DV Validation Process is simple & fully automated.

• Validation Process: Validation of domain ownership to prove control over the domain.

• Issuance Time: Shorter issuance time. Issuance in minutes.

Process Involved:

Follow these steps to place an order for an EV SSL/TLS certificate. The same process applies to EV Multi-domain (UCC) products.

Step-by-Step Certificate Ordering Process

1. Choose Product & Validity

Follow these steps to order an IGTF certificate using the external DNS type option through the emSign CERTInext

Step-by-Step Certificate Ordering Process

1. Choose Product & Validity

• Navigate to the Private PKI Product section.