In the digital trust ecosystem, the uninterrupted functioning of a Certifying Authority (CA) is essential to maintain confidence in electronic transactions and digital signatures. Each service operated by a CA—from certificate issuance to real-time status verification—plays a distinct role in ensuring the authenticity, integrity, and non-repudiation of digital communications.
This post highlights the most critical services of a Certifying Authority and outlines their priority, Recovery Time Objective (RTO), and Recovery Point Objective (RPO) requirements. By understanding which services demand the highest availability and the shortest recovery time, CAs can design resilient infrastructures and effective disaster recovery plans that align with Controller of Certifying Authorities (CCA) compliance and business continuity expectations.
| SN | Service Area | Criticality | RTO | RPO |
| 1 | Directory Listing | Most Critical (PKI Users need to know about Public Key / DSC of an individual for integrating into various applications) | To be available 24x7x365, RTO would be 10 minutes | RPO is 60 minutes |
| 2 | CRL Management: 1. Generation 2. Publishing 3. Availability | Most Critical (Any application may need the latest and updated CRL for verification of certificate status while signing and trusting e- transactions) | To be available 24x7x365, RTO would be 10 minutes | RA Web Servers at PR site and DR site have been put in sync, so RPO has null value |
| 3 | DSC Revocation | Most Critical (As per CPS revocation / suspension request to be processed within 72 hours of receiving the request) | After 48 hours of continuous failure of eSign operations at PR site, it is recommended to start operations from DR site. RTO is < 72 hours. | All servers at PR site and DR site have been put in sync but for any eventuality the latest available backup shall be taken as RPO. |
| 4 | Routine / Scheduled Generation of CRL even if no DSC has been revoked | Most Critical (The Routine / scheduled generation of CRL takes place on a weekly basis and the next scheduled date for updating the CRL is given in the next update information, available in CRL. | RTO has to range from 0 to 7 days, depending upon the next scheduled date for updating the CRL. Operations need to be started from DR site accordingly | All servers at PR site and DR site have been put in sync but for any eventuality the latest available backup shall be taken as RPO. |
| 5 | DSC issuance | Critical (Depending upon the business compulsions) | Requirement / Timeframe to be decided by Business | All servers at PR site and DR site have been put in sync but for any eventuality the latest available backup shall be taken as RPO |
| 6 | OCSP | Most Critical | To be available To be available 24x7x365, RTO would be 10 minutes | All servers at PR site and DR site have been put in sync but for any eventuality the latest available backup shall be taken as RPO. |
| 7 | eSign Services | Most Critical | To be available 24x7x365, RTO would be 10 minutes | All servers at PR site and DR site have been put in sync but for any eventuality the latest available backup shall be taken as RPO |
| 8 | Time Stamping | Most Critical | To be available To be available 24x7x365, RTO would be 10 minutes | All servers at PR site and DR site have been put in sync but for any eventuality the latest available backup shall be taken as RPO. |
Summary
The reliability of a Certifying Authority directly impacts the trust placed in digital certificates across government, business, and citizen services. Among all CA operations, services such as CRL Management, DSC Revocation, OCSP, eSign, and Time Stamping rank as the most critical and must maintain near-zero downtime and minimal data loss.
A well-defined RTO and RPO strategy ensures that even in the event of system failures, network outages, or cyber incidents, these essential services remain operational or can be restored swiftly without compromising trust or compliance. Ultimately, maintaining continuity in these critical services reinforces the core objective of a CA — to guarantee trust, security, and accountability in the digital ecosystem.
Leave a comment