Introduction
This document is the combined Certificate Policy (CP) and Certification Practice Statement (CPS) for the private PKI operated by UGTI India Private Limited under the UGTI Vajra Root G1 hierarchy.
This CP/CPS is structured in accordance with RFC 3647. It governs the issuance, management, and revocation of certificates used within UGTI's internal network infrastructure.
| Document Title | Certificate Policy / Certification Practice Statement |
| Version | 1.0 |
| Effective Date | July 11, 2026 |
| OID | 2.16.356.100.10.1.1 |
| CP/CPS URL | https://umaleindustries.com/pki/cps/ |
| CA Organisation Name | UGTI Vajra Certificate Authority |
| Legal Entity | UGTI India Private Limited |
| Jurisdiction | India |
| Root CA CN | UGTI Vajra Root G1 |
| Intermediate CA CN | UGTI Vajra Intermediate G1 |
| PKI Type | Private / Internal Enterprise CA — Not Publicly Trusted |
1.1 PKI Participants
- Root CA (UGTI Vajra Root G1): Self-signed root certificate. Used to sign the Intermediate CA. Kept offline when not in use.
- Intermediate CA (UGTI Vajra Intermediate G1): Issues end-entity certificates for internal services and devices.
- Subscribers: UGTI-owned servers, network devices, and managed employee devices within the organisation's infrastructure.
- Relying Parties: UGTI employees and internal systems that rely on these certificates within the organisation's network.
1.2 Certificate Usage
Certificates issued under this hierarchy are intended solely for:
- TLS/HTTPS for internal servers and services (e.g., intranet, VPN, DNS-over-HTTPS)
- Device authentication within the UGTI managed network
- Mobile Device Management (MDM) profile signing
These certificates are not for public issuance. They are not intended to be trusted by browsers or operating systems outside of UGTI's explicitly managed device fleet.
Publication & Repository
UGTI maintains the following internal PKI repository at https://umaleindustries.com/pki/:
| PKI Portal | https://umaleindustries.com/pki/ |
| Root CA Certificate | https://umaleindustries.com/pki/root.crt |
| Intermediate Certificate | https://umaleindustries.com/pki/intermediate.crt |
| CP/CPS Document | https://umaleindustries.com/pki/cps/ |
| CRL (future) | https://umaleindustries.com/pki/crl/ |
This CP/CPS is reviewed annually and updated whenever material changes occur. All prior versions are retained.
Certificate Lifecycle
3.1 Certificate Validity Periods
| Root CA Certificate | 10 years (expires July 8, 2036) |
| Intermediate CA Certificate | 5 years |
| Internal TLS Certificates | 1 year (maximum) |
| Device / Client Certificates | 2 years (maximum) |
3.2 Certificate Issuance
Certificate requests are submitted by authorised UGTI IT personnel. Requests are validated against the internal device registry or server inventory before issuance. No certificates are issued to parties outside UGTI.
3.3 Revocation
Certificates are revoked promptly when: a private key is suspected compromised, a device is decommissioned, or an employee leaves the organisation. Revocation requests are submitted to the PKI team at pki@ugti.in. A Certificate Revocation List (CRL) is maintained and updated at least every 30 days.
Physical & Operational Controls
4.1 CA Key Storage
The Root CA private key is stored in an encrypted key file protected by a strong passphrase. The key file is kept offline on secured, access-controlled storage when the Root CA is not performing signing operations. Access to the Root CA key requires authorisation from the UGTI IT Security lead.
The Intermediate CA private key is stored on the CA server in encrypted form and is protected by system-level access controls and a strong passphrase.
4.2 Key Generation
CA key pairs were generated using OpenSSL with the following parameters:
| Root CA Key | RSA-4096, sha256WithRSAEncryption |
| Intermediate CA Key | RSA-4096, sha256WithRSAEncryption |
| End-Entity Keys | RSA-2048 minimum, sha256WithRSAEncryption |
| Generation Tool | OpenSSL 3.x on secure workstation |
| Generation Date | July 11, 2026 |
Key generation was performed on an internal, secured workstation with no network access during the operation. The process was performed by the UGTI IT Security team.
4.3 Backup & Access Control
- Root CA key file is backed up to encrypted offline storage (AES-256).
- Backup media is stored in a physically secure location.
- Access to CA key material requires the IT Security lead's authorisation.
- Dual-person authorisation is applied for Root CA signing operations.
4.4 Audit Logging
All CA operations (certificate issuance, revocation, key usage) are logged. Logs are retained for a minimum of 3 years and reviewed quarterly by the IT Security team.
Certificate Profiles
5.1 Root CA Certificate
| Subject / Issuer | C=IN, O=UGTI India Private Limited, CN=UGTI Vajra Root G1 |
| Serial Number | 6C:D8:AC:22:26:A8:C5:28:1A:DF:E3:C8:A1:C5:12:51:90:D9:A4:AE |
| Algorithm | sha256WithRSAEncryption, RSA-4096 |
| Valid From | July 11, 2026 |
| Valid To | July 8, 2036 |
| Key Usage | Certificate Sign, CRL Sign (critical) |
| Basic Constraints | CA:TRUE (critical) |
| Subject Key Identifier | 5C:3D:D8:A1:28:DF:4D:37:90:7E:76:EB:CF:DC:B6:2C:15:7B:23:05 |
5.2 Intermediate CA Certificate
| Subject | C=IN, O=UGTI India Private Limited, CN=UGTI Vajra Intermediate G1 |
| Issuer | UGTI Vajra Root G1 |
| Algorithm | sha256WithRSAEncryption, RSA-4096 |
| Key Usage | Certificate Sign, CRL Sign (critical) |
| Basic Constraints | CA:TRUE, pathLen:0 (critical) |
| Certificate Policies | OID 2.16.356.100.10.1.1 → https://umaleindustries.com/pki/cps/ |
Legal & Contact
6.1 Governing Law
This CP/CPS is governed by the laws of the Republic of India. Any disputes are subject to the jurisdiction of courts in India.
6.2 Limitation of Liability
This is a private, internal CA. UGTI India Private Limited makes no warranties to external parties. Certificates are for internal use only. External reliance on these certificates is at the relying party's sole risk.
6.3 CP/CPS Amendments
This document will be updated at least annually. Material changes will be communicated to internal stakeholders. All versions are archived at https://umaleindustries.com/pki/cps/.
6.4 Contact
| Organisation | UGTI India Private Limited |
| PKI Enquiries | pki@ugti.in |
| Revocation Requests | pki@ugti.in |
| Website | https://umaleindustries.com |
| CP/CPS URL | https://umaleindustries.com/pki/cps/ |
Document Approval
This CP/CPS has been reviewed and approved by the authorised personnel of UGTI India Private Limited.