Resolve your doubts about electronic Certificates.
What is a digital certificate and what is it used for?
An electronic certificate issued and signed by a body authorised to do so, which serves to identify a person.
This organisation is often referred to by different names, such as: certification authority, provider of certification services.
This is a document identifying an individual or legal person and a public key that has been assigned in order to perform signature and/or encryption operations. Every certificate is identifiable by a unique serial number and has a validity period associated with it.
Expressed more formally, under Electronic Signature Law 59/2003, a digital certificate is a document signed electronically by a supplier of certification services that checks signature verification data (public key) against a signer and confirms his or her identify.
In signature and encryption processes, current technology mainly uses something called asymmetrical encryption. This means that every user that wants to sign and/or encode messages is assigned two keys: one public and the other private.
It is useful to be aware that the key shown in the digital certificate is merely the public key. The private key does not appear in the certificate. Even though this private key may have been generated by the same Certification Authority that issued the certificate, and corresponds only with the public key contained in the certificate. At no time may the Certification Authority store the private key. Every certificate therefore has an associated private key, but this is not contained in the certificate.
Sometimes it is mistakenly believed that the private key is also held on the certificate. Especially in the case of card-based certificates. The card normally holds both the certificate and the private key, but these are two different electronic files.
Pursuant to the regulations, there are two basic types digital certificates:
- Digital certificate: is a document signed electronically by a certification services provider, which links signature verification data to a signer and confirms his or her identity.
- Recognised certificate: it is an electronic certificate that complies with the requirements collected in Law 59/2003, the Electronic Signature Act, as for its contents, as well as in certain conditions that the certification service provider must comply with.
Based on current regulations, we can differentiate between certificates of a natural person, a legal entity, an entity without legal personality and a Public Administration certificate .
As of July 1, 2016, electronic signature certificates must stop being issued to legal persons or entities without legal personality, although these certificates (in accordance with the guidelines of the Ministry of Industry, Energy and Tourism) They may continue to be used until their expiration or revocation . To replace these certificates, electronic signature certificates for representatives of legal persons or entities without legal status may be used.
Pursuant to the new regulations, the types of certificates are as follows:
Certificate for individuals: identifying an individual.
Certificate for representatives of a legal person: Issued to individuals as representatives of legal persons. .
Certificate for representatives of Entities without legal status: Issued to individuals as representatives of entities with no legal personality in a tax context, or any other context established by legislation in force.
Certificates AP (Public Administration).
As regards the format of the certificate, the following terms are used:
- Software certificate: is one which consists of a software file, which has no physical format apart from that of the computer or server on which it is installed.
- Card certificate: is one that is held on a card.
Earlier types of certificates are not the only ones that may be encountered, but they are the most widespread.
The Tax Agency does not issue electronic certificates, but acts as a registration office for certificates issued by the Spanish Royal Mint (FNMT).
To this end, and in relation to the new FNMT-RCM certificates, you are hereby informed:
IMPORTANT: The National Mint and Stamp Factory – Royal Mint (FNMT – RCM) with the aim of adapting to the technical changes required by the regulations, will begin to issue the new representative certificates of a legal entity, of representative of an entity without legal personality and of representative for sole and joint administrators as of June 6, 2016 . As of that date, the current certificates of legal entity and entity without legal personality will no longer be issued, and their renewal will not be possible through the website. However, may continue to be used until its expiration or revocation .
The FNMT-RCM offers a new type of certificate of representative of a legal entity called Representative certificate for sole and joint administrators . This electronic certificate issued by the FNMT-RCM is issued to sole or joint administrators as representatives of corporate persons, for their relations with public administrations when contracting their goods or services or as part of their ordinary business. The Signatory acts on behalf of a legal entity as legal representative with the position of sole or joint administrator registered in the Commercial Registry.
The advantage or facility offered by this type of certificate is that if the legal representative, sole or joint administrator, has a certificate of physical person of the FNMT-RCM or a DNIe, the certificate of sole or joint administrator can be obtained without having to go to a registration office, identifying oneself through the Internet (as long as the certificate of the physical person does not come from a renewal). In any case, it is no longer necessary to go to the commercial registry to accredit the powers of representation, reducing the number of trips/procedures needed to obtain the certificate.
For more information visit the webpage of the Spanish Royal Mint.
The terms electronic signature and digital signature are usually used interchangeably.
Likewise, there are different definitions of electronic signature. With respect, again, to the legislation (Law 59/2003 on Electronic Signature), three types of electronic signature are commonly referred to:
- Electronic signature is the set of data in electronic form, recorded together with others or associated with them, that can be used as a means of identification of the signatory.
- Advanced electronic signature is the electronic signature that allows the signer to be identified and any subsequent changes to the signed data to be detected, which is uniquely linked to the signatory and to the data to which it refers and which has been created by means that the signatory can maintain under its exclusive control.
- Recognized electronic signature is the advanced electronic signature based on a recognized certificate and generated by a secure signature creation device.
For more explanation on some of the concepts used, it is recommendable to consult the abovementioned law.
A digital signature does not mean that the message is encrypted. That is to say, a signed message's legibility depends on whether it is encrypted or not.
The process of advanced and recognised electronic signature is generally as follows. The signer will use a function to generate a "summary" or fingerprint of the message. This summary or digital fingerprint will be encrypted with your private key, resulting in what is known as a digital signature, which will be sent attached to the original message.
Anyone who receives the message can verify that the message has not been modified since its creation, as he or she will be able to generate the same summary or digital print by applying this same function to the message. Furthermore, you will be able to verify authorship, deciphering the digital signature using the signer's public key. This will cause the summary or digital fingerprint associated with the message to be displayed again.
The Tax Agency makes available to citizens, through its electronic headquarters located on its page https://sede.agenciatributaria.gob.es/ , access to numerous telematic services. This is what is called Electronic Administration. A Digital Certificate is needed for some of them.
For transactions that require use of the Digital Certificate, a window showing the certificate will open on screen and must be accepted before you can proceed with the operation you wish to carry out. Similarly, filing a tax return or sending forms will require you to accept the certificate a second time in order to sign to authorise the sending of secure data.
Therefore, you must first obtain a certificate and install it on your computer.
Inside the E-Office you will be able to access all of the services that the Tax Agency provides to citizens, submit tax returns, view the status of any pending actions (My files), obtain an e-copy or payment receipt, see tax data, etc.
A lock icon will indicate access using the digital certificate.
In addition to the difference in format, the practical difference lies in where the private key is stored.
If the certificate is requested in card format, you will not be able to export the private key. This format is thus considered more secure, but implies a degree of inconvenience in that no backup copy can be created.
If a software certificate is requested, the certificate will be stored in the browser and can be exported along with its keys. It is therefore possible to make a backup copy.
Natural persons may only have one valid certificate issued in their name and Tax ID, except if the certificates are from different issuing authorities. If you request a new one with the same data, the certificate that you had previously will be revoked and you will not be able to operate with it. Legal persons may possess as many active certificates as they have legal representatives.
You may have several certificates installed on your computer, as long as they are for different authorised people or have been issued by different organisations. It is not recommendable to have more than 16 certificates on any one browser.
A certificate has the following life cycle:
Obtaining the certificate: First you must request the certificate from a Certifying Authority (AC). There are usually three steps in the process of obtaining one. The first step, usually carried out via Internet from the webpage of the Certification Authority, consists of making the request. In the second step, the applicant must make a personal visit to one of the Registration Offices, also called Registration Authorities, approved by the CA. The last step is to download the certificate, normally over the internet.
To operate with AEAT , consult the list of accredited Certification Authorities. Next, on the web page of each individual Certification Authority you will find the Registration Offices approved by each of them.
Installing the certificate: Once a Certification Authority has issued you a certificate and you have downloaded it, it must be installed in the browser of your computer. This actually means that it must be imported. The above refers only to when a certificate is software-based. When the certificate is card-based it is not necessary to install the certificate in the browser. It is used by inserting the card in the card reader.
Importing a certificate: When you have a certificate stored in your computer, in an internal or external device, and you wish to use it with your navigator, the procedure is called 'importing' a certificate. It is also possible to import a certificate onto a card.
Exporting a certificate: Certificates can be stored in a cryptographic card (hardware) or in the user's navigator (software). In this case, the user certificate must be exported to a USB device or another means of storage in order to make a backup copy, as reinstalling the operating system or browser can cause it to be lost.
It can also be exported in order to be used simultaneously on other computers or browsers.
Validity period of the certificate: it is the time during which a certificate can be used. This period of validity shall last no more than five years and this may vary depending on the type of certificate, the scope of its use and even on the Certification Authority that issues it. Thus, a certificate of representative of a legal entity issued by the FNMT class 2 has a validity period of two years. For its part, a natural person certificate issued by FNMT class 2 has a validity period of four years.
Expiry of a certificate: Once the validity period displayed on the certificate has expired, the certificate is said to have expired and is no longer operative.
Renewing a certificate: When a certificate is close to its expiration date, if we want to use it again, we must renew the certificate before reaching the deadline. It can be renewed without having to repeat all of the previous steps.
Depending on the Certification Body and the type of certificate, this may or may not be renewable digitally; Thus, the FNMT only allows the renewal of natural person certificates, so that the electronic renewal of this type of certificates can be requested using the same electronic certificate that you want to renew as long as the application is made during the 60 days prior to its expiration and provided that, in addition, the certificate to be used in the renewal had been obtained through in-person accreditation within a period of less than 5 years.
Suspension of a certificate : Suspension renders the certificate ineffective for a certain period of time and under certain conditions.
The possibility suspending a certificate and the procedure established accordingly depend on the Certification Authority issuing it (consult the website of the corresponding Certification Authority).
Revoking a certificate: In the event of loss, or of suspicion that the certificate has been copied by someone other than its holder, its revocation - which consists of cancelling the certificate's validity before the expiry date assigned to it - is possible.
Deleting a certificate: This is the act of removing the certificate from the browser or from a cryptographic card. Once this procedure has been carried out you will not be able to use it again unless you have made a backup copy. Remember that a backup copy cannot be made for a card-based certificate. Such certificates will thus be permanently eliminated. This is usually done after the certificate has expired.