FAQsSkip information index
What is a digital certificate and what is it used for?
An electronic certificate issued and signed by a body authorised to do so, which serves to identify a person.
This organisation is often referred to by different names, such as:certification authority, provider of certification services.
This is a document identifying an individual or legal person and a public key that has been assigned in order to perform signature and/or encryption operations.Every certificate is identifiable by a unique serial number and has a validity period associated with it.
Expressed more formally, under Electronic Signature Law 59/2003, a digital certificate is a document signed electronically by a supplier of certification services that checks signature verification data (public key) against a signer and confirms his or her identify.
In signature and encryption processes, current technology mainly uses something called asymmetrical encryption.This means that every user that wants to sign and/or encode messages is assigned two keys: one public and the other private.
It is useful to be aware that the key shown in the digital certificate is merely the public key.The private key does not appear in the certificate.Even though this private key may have been generated by the same Certification Authority that issued the certificate, and corresponds only with the public key contained in the certificate.At no time may the Certification Authority store the private key.Every certificate therefore has an associated private key, but this is not contained in the certificate.
Sometimes it is mistakenly believed that the private key is also held on the certificate.Especially in the case of card-based certificates.The card normally holds both the certificate and the private key, but these are two different electronic files.
Pursuant to the regulations, there are two basic types digital certificates:
- Digital certificate: is a document signed electronically by a certification services provider, which links signature verification data to a signer and confirms his or her identity.
- Recognised certificate: it is an electronic certificate that complies with the requirements collected in Law 59/2003, the Electronic Signature Act, as for its contents, as well as in certain conditions that the certification service provider must comply with.
Pursuant to the current regulations, we can differentiate between certificates for individuals, legal persons, Entities without legal status and public administration certificate.
From 1 July 2016, electronic signature certificates in favour of legal persons or entities without legal status must no longer be issued, although these certificates (pursuant to the guidelines of the Ministry of Industry, Energy and Tourism) can still be used until their expiry or revocation.To replace these certificates, electronic signature certificates for representatives of legal persons or entities without legal status may be used.
Pursuant to the new regulations, the types of certificates are as follows:
Certificate for individuals:identifying an individual.
Certificate for representatives of a legal person:Issued to individuals as representatives of legal persons..
Certificate for representatives of Entities without legal status:Issued to individuals as representatives of entities with no legal personality in a tax context, or any other context established by legislation in force.
Certificates AP (Public Administration).
As regards the format of the certificate, the following terms are used:
- Software certificate: consists of a software file, which has no physical format apart from that of the computer or server on which it is installed.
- Card certificate: held on a card.
Earlier types of certificates are not the only ones that may be encountered, but they are the most widespread.
The Tax Agency is not an issuer of electronic certificates, but acts as the Registry Office for the certificates issued by the National Mint (Fábrica Nacional de Moneda y Timbre).
To this end, and in relation to the new FNMT-RCM certificates, you are hereby informed:
IMPORTANT:The Fábrica Nacional de Moneda y Timbre-Real Casa de la Moneda (FNMT-RCM) in order to adapt to the technical changes required by the regulations, will start issuing the new certificates of representative of a legal person, representative of an unincorporated entity and representative for sole and joint administrators as of 6 June 2016.Starting from that date, the current certificates of legal persons and organisations without legal personality will stop being issued, and they will not be able to be renewed via the website.Nonetheless, it will be possible to continue using them until their expiry or revocation.
The FNMT-RCM offers a new type of certificate for representatives of a legal person, called certificate of the representative for sole and joint directors.This electronic certificate issued by the FNMT-RCM is issued to sole or joint administrators as representatives of corporate persons, for their relations with public administrations when contracting their goods or services or as part of their ordinary business.The Signatory is acting on behalf of a legal entity in the capacity of a legal representative with the position of sole or joint administrator registered in the Commercial Register.
The advantage or facility offered by this type of certificate is that if the legal representative, sole or joint administrator, has a certificate of physical person of the FNMT-RCM or a DNIe, the certificate of sole or joint administrator can be obtained without having to go to a registration office, identifying oneself through the Internet (as long as the certificate of the physical person does not come from a renewal).In any case, it is no longer necessary to go to the commercial register for the accreditation of powers of representation, reducing the number of trips/procedures needed to obtain the certificate.
For more information visit the webpage of the Spanish Royal Mint.
The terms electronic signature and digital signature are usually used interchangeably.
Likewise, there are different definitions of electronic signature.With respect, again, to the legislation (Law 59/2003 on Electronic Signature), three types of electronic signature are commonly referred to:
- Electronic signature is the compilation of data in electronic format, linked to others or associated with them, which can be used as means of identification of the signer.
- Advanced electronic signature s an electronic signature which allows identification of the signer and detection of any modification that has occurred after the material was signed. This signature is linked exclusively to the signer and the data that it represents and has been created by means that can be controlled only by the signer.
- Recognised electronic signature is advanced electronic signature based on recognition of a certificate and generated through a secure signature creation device.
For more explanation on some of the concepts used, it is recommendable to consult the abovementioned law.
A digital signature does not mean that the message is encrypted. That is to say, a signed message's legibility depends on whether it is encrypted or not.
The process of advanced and recognised electronic signature is generally as follows.The signer will use a function to generate a "summary" or fingerprint of the message.This summary or digital fingerprint will be encrypted with your private key, resulting in what is known as a digital signature, which will be sent attached to the original message.
Anyone who receives the message can verify that the message has not been modified since its creation, as he or she will be able to generate the same summary or digital print by applying this same function to the message.Furthermore, you will be able to verify authorship, deciphering the digital signature using the signer's public key. This will cause the summary or digital fingerprint associated with the message to be displayed again.
Through the E-Office located on its website at https://sede.agenciatributaria.gob.es/, the Tax Agency provides citizens with access to numerous web-based services.This is what is called Electronic Administration.A Digital Certificate is needed for some of them.
For transactions that require use of the Digital Certificate, a window showing the certificate will open on screen and must be accepted before you can proceed with the operation you wish to carry out.Similarly, filing a tax return or sending forms will require you to accept the certificate a second time in order to sign to authorise the sending of secure data.
Therefore, you must first obtain a certificate and install it on your computer.
Inside the E-Office you will be able to access all of the services that the Tax Agency provides to citizens, submit tax returns, view the status of any pending actions (My files), obtain an e-copy or payment receipt, see tax data, etc.
A lock icon will indicate access using the digital certificate.
In addition to the difference in format, the practical difference lies in where the private key is stored.
If the certificate is requested in card format, you will not be able to export the private key. This format is thus considered more secure, but implies a degree of inconvenience in that no backup copy can be created.
If a software certificate is requested, the certificate will be stored in the browser and can be exported along with its keys. It is therefore possible to make a backup copy.
Individuals may only have one current certificate issued to their name and NIF (Taxpayer ID), unless the certificates are from different issuing organisations.If you request a new one with the same data, the certificate that you had previously will be revoked and you will not be able to operate with it.Legal persons may possess as many active certificates as they have legal representatives.
You can have several certificates installed on your computer, as long as they are from different authorised persons or issued by different entities.It is not recommendable to have more than 16 certificates on any one browser.
A certificate has the following life cycle:
Obtaining the certificate:First you must request the certificate from a Certifying Authority (AC).There are usually three steps in the process of obtaining one.The first step, usually carried out via Internet from the webpage of the Certification Authority, consists of making the request.In the second step, the applicant must make a personal visit to one of the Registration Offices, also called Registration Authorities, approved by the CA.The last step is to download the certificate, normally over the internet.
To interact with the AEAT, consult the list of authorised Certification Authorities.Next, on the web page of each individual Certification Authority you will find the Registration Offices approved by each of them.
Installing the certificate:Once a Certification Authority has issued you a certificate and you have downloaded it, it must be installed in the browser of your computer.This actually means that it must be imported.The above refers only to when a certificate is software-based.When the certificate is card-based it is not necessary to install the certificate in the browser.It is used by inserting the card in the card reader.
Importing a certificate:When a certificate is stored in some manner, whether on the computer or externally, and we wish to transfer it into the browser, we say that the certificate will be imported.It is also possible to import a certificate onto a card.
Exporting a certificate:Certificates can be stored in a cryptographic card (hardware) or in the user's navigator (software).In this case, the user certificate must be exported to a USB device or another means of storage in order to make a backup copy, as reinstalling the operating system or browser can cause it to be lost.
It can also be exported in order to be used simultaneously on other computers or browsers.
Validity period of the certificate:it is the time during which a certificate can be used.This period of validity shall last no more than five years and this may vary depending on the type of certificate, the scope of its use and even on the Certification Authority that issues it.Thus, a certificate for representatives of a legal person issued by the FNMT, class 2, is valid for two years.A natural person's certificate issued by FNMT class 2 has a validity period of four years.
Expiry of a certificate:Once the validity period displayed on the certificate has expired, the certificate is said to have expired and is no longer operative.
Renewing a certificate:When a certificate is nearing its date of expiry, if we want to continue to use it we must renew the certificate before the deadline is reached.It can be renewed without having to repeat all of the previous steps.
Depending on the Certification Body and the type of certificate, this may or may not be renewable digitally;Thus, the FNMT only allows you to renew certificates for individuals, and so you can request the online renewal of this type of certificate using the same electronic certificate that you want to renew, provided that the request is made during the 60 days prior to its expiration, and provided that the certificate used for the renewal has been acquired via in-person accreditation in the past 5 years.
Suspension of a certificate: the suspension renders the certificate ineffective for a specific period of time and under certain conditions.
The possibility of suspending a certificate, as well as the procedure established for this, depends on the Certification Authority that issued it (you can consult the web page of the corresponding Certification Authority).
Revoking a certificate:In the event of loss, or of suspicion that the certificate has been copied by someone other than its holder, its revocation - which consists of cancelling the certificate's validity before the expiry date assigned to it - is possible.
Deleting a certificate:This is the act of removing the certificate from the browser or from a cryptographic card.Once this procedure has been carried out you will not be able to use it again unless you have made a backup copy.Remember that a backup copy cannot be made for a card-based certificate. Such certificates will thus be permanently eliminated.This is usually done after the certificate has expired.