Certificate Management

Full reference for reading, selecting, validating, and exporting DSC certificates.

All features supported

Every certificate management capability listed below is implemented and working in SecureSign Mobile App and Desktop Software. Chain validation, CRL, and OCSP checks run automatically before signing.

Overview

SecureSign reads X.509 certificates from the connected DSC token, validates the chain against CCA India root CAs, checks expiry and revocation (CRL/OCSP), and returns structured CertificateInfo in API responses.

Users select a certificate in the product UI when multiple are present.
Portals can pre-select via certSerial on sign requests.
Public certificates can be exported as PEM for server-side validation.

Platform Support

Feature	Mobile App	Desktop Software	REST API
Read Certificate	Sign callback	GET /certificates	GET /certificates
Read All Certificates	Product UI	GET /certificates	GET /certificates
Certificate Selection	`certSerial` filter	`certSerial` param	`certSerial` param
View Certificate Details	CertificateInfo	GET /certificates/{serial}	GET /certificates/{serial}
Chain Validation	Built-in	Built-in	POST /certificates/validate
Expiry Check	`validTo`	`validTo`	validate response
CRL Check	Validation engine	Validation engine	POST /certificates/validate
OCSP Validation	Validation engine	Validation engine	POST /certificates/validate
Export Public Certificate	`certificatePem`	GET /certificates/{serial}	GET /certificates/{serial}
Certificate Search	Product UI	Query params	GET /certificates?subject=
Alias Management	Product UI	Product UI	—

CertificateInfo Model

Field	Type	Description
`subject`	string	Full DN (e.g. `CN=Rajesh Kumar,O=Example Pvt Ltd`)
`subjectCommonName`	string	CN extracted from subject
`issuer`	string	Issuing CA DN
`issuerCN`	string	Issuing CA common name
`serialNumber`	string	Certificate serial (hex)
`validFrom`	string	ISO 8601 not-before
`validTo`	string	ISO 8601 not-after
`dscIssuer`	string	Resolved CA vendor (e.g. `eMudhra`)
`keyUsage`	string[]	`digitalSignature`, `nonRepudiation`, etc.
`certificatePem`	string	PEM-encoded public certificate
`alias`	string	Token slot alias (when available)

Supported Certifying Authorities (India)

Certificates must be issued by a CCA-licensed Certifying Authority. Supported CAs: eMudhra, Capricorn, (n)Code Solutions, GNFC, VSign, IDSign, SignX, Pantasign, XtraTrust, SafeScrypt, CDSL Ventures, ProDigiSign, Care4Sign, CSC, and NIC (government entities only).

See the full vendor table on Device & Token — Supported DSC Vendors.

Validation

POST /certificates/validate performs chain, expiry, CRL, and OCSP checks:

Field	Type	Required	Description
`certificatePem`	string	Yes	PEM-encoded certificate to validate
`checkRevocation`	boolean	No	Run CRL/OCSP checks (default `true`)
`checkChain`	boolean	No	Validate to CCA root (default `true`)

Examples

const params = new URLSearchParams({
  requestId: crypto.randomUUID(),
  hashBase64: sha256Base64,
  hashAlgo: 'SHA256',
  documentType: 'hash',
  callbackUrl: 'https://portal.example.gov.in/sign/callback',
  apiKey: 'ss_live_abc123xyz'
});
window.location.href = `securesign://sign?${params}`;
// Certificate list shown in Mobile App / Desktop Software UI; metadata returned in callback

curl -X POST https://api.securesign.toolsbots.com/v1/certificates/validate \
  -H 'Authorization: Bearer ss_live_abc123xyz' \
  -H 'Content-Type: application/json' \
  -d '{"certificatePem":"-----BEGIN CERTIFICATE-----\n...","checkRevocation":true}'

Sign with certificate selection

securesign://sign?requestId=...&amp;hashBase64=...
{
  "hashBase64": "qT6d3x8K...",
  "hashAlgo": "SHA256",
  "certSerial": "4A3B2C1D"
}

Response

GET /certificates

[{"subjectCN":"Rajesh Kumar","issuerCN":"eMudhra Sub CA","serialNumber":"4A3B2C1D","validFrom":"2025-01-01T00:00:00Z","validTo":"2027-01-01T00:00:00Z","dscIssuer":"eMudhra","keyUsage":["digitalSignature","nonRepudiation"]}]

POST /certificates/validate

{"valid":true,"chainValid":true,"notExpired":true,"revocationStatus":"good","ocspValid":true,"dscIssuer":"eMudhra"}

Errors

Code	Cause	Resolution
`SS_CERT_EXPIRED`	Certificate past `validTo`	Renew DSC with issuing CA
`SS_CERT_REVOKED`	CRL or OCSP reports revoked	Contact CA; obtain new certificate
`SS_CERT_CHAIN_INVALID`	Chain does not reach CCA root	Verify token is from a supported CA
`SS_CERT_NOT_FOUND`	`certSerial` not on token	Check serial; let user select in UI
`SS_TOKEN_NOT_FOUND`	No token connected	Insert DSC token