Electronic Certificates

• It is an electronic document issued by a Trusted Service Provider and identifies a person (physical or legal) with a pair of keys.
• Its mission is to validate and certify that an electronic signature corresponds to a specific person or entity.
• It contains the information needed to sign electronically and identify your owner with your data: name, NIF, algorithm and signature keys, expiration date and issuing body.
• The Trust Services Provider attests that the electronic signature corresponds to a specific user. That is why certificates are signed, in turn, by the Trusted Service Provider.
• It refers to a qualified electronic certificate if it complies with the requirements laid down by the legislation, is issued by a qualified trust service provider and guarantees a high level of safety and authenticity, with the legislation being Regulation (EU) 910/2014, known as eIDAS Regulation, and Law 6/2020 of 11 November, regulating certain aspects of electronic trust services. supplementing the eIDAS Regulation in Spain.

In a Certificate, the digital keys are theessential elements for signature and identificationof the signatory. There are two keys, theprivate keyandpublic keyand work in a complementary way. What encrypts or encrypts one key can only decipher or decode the other.

The difference between them is that the private key is designed so that it never leaves the certificate and is always under the control of the signatory. Instead, the public key can be distributed or sent to other users.

At times, we talk aboutPrivate Certificateto refer to the certificate containing the private and public key and thePublic Certificateto refer to the certificate containing only the public key.

Important: If you send your certificate to a third party, make sure it is the public certificate (which contains only the public key). For more information on how to export a certificate, go to the sectionBrowsers and Computer.

Since October 2, 2016, with the entry into force of Article 14 of Law 39/2015, of October 1, of the Common Administrative Procedure of the Public Administrations, they are obliged to relate by electronic means to the Public Administrations for the performance of any formalities of an administrative procedure, at least the following subjects that may be covered in the categories of SMEs, self-employed or self-employed:

(a) Legal persons.

(b) Entities without legal personality.

(c) Persons engaged in a professional activity for which compulsory tuition is required, for the formalities and proceedings they carry out with the public administrations in the exercise of that professional activity. In any case, within this group will be understood including notaries and registrars of the property and commercials.

(d) Those representing a data subject who is obliged to interact electronically with the Administration.

For this purpose, it is necessary to use identification systems for those interested in the procedure (Article 9 of Law 39/2015) and signature systems accepted by the public authorities (Article 10 thereof).

Recognised identification and signature systems include those based on qualified electronic signature certificates issued by providers included in the "Trusted List of Certification Service Providers", and in order to use these systems it is necessary for the subject to have a corresponding qualified electronic signature certificate.

A qualified electronic certificate of electronic signature issued to natural persons as a representative is necessary to certify the representation.

Depending on each service provider, different representative certificates are offered for use in their relations with administrations, entities and public bodies. The most common are:

• Legal Person Representative. A natural person is issued as a representative of a legal person.
• Representative of an entity without legal personality. A natural person is issued as a representative of an entity without legal personality.

In order to have the certificate, the subject must follow the steps indicated by the service provider and comply with the technical requirements necessary to request and install the certificate on his computer.

You can see in the link below all providers included in the "Trusted List of Certification Service Providers", and for each of them get your website where you can check steps, requirements and prices when applicable:

Getting the Digital Certificate depends on whether the certificate is contained in a card, or whether the certificate is saved in a software file.

In both processes, there is a step that is the identification of the person responsible or user of the certificate, which requires him to be present at the offices of a Registration Authority. These offices corroborate identity.

In the case of software certificates, the user’s own browser creates the keys. But, in the Card Certificate, who creates and introduces the keys is the Certification Provider.

• Obtaining Certificate on Card

  The certificates contained in cards must be delivered directly to the user.

• Application for a software certificate.

  The request and download of the Certificate are made from the browser.

  You can find a list of providers issuing electronic certificates in Spain in the following page.

Electronic Certificates have a past validity period that is neither used to sign nor to identify themselves.

Each Certification Provider sets deadlines before the certificate expires in order to be able to renew it without any other identification. In the case of FNMT certificates, they are valid for 36 months and can be renewed for 60 days prior to expiry.

If the Certificate expires, the entire process of applying for the certificate must be carried out again. However, a certificate can be renewed before it expires and the process does not require a new application.

You can invalidate your Certificate before it expires for security reasons.

These are the main reasons for revocation of a Certificate:

• Voluntary request by the Subscriber
• Loss or damage to the Certificate Holder
• Death of the subscriber or his representative, total or partial incapacity of any of them
• Completion of the representation or termination of the represented entity
• Inaccuracies in the data provided by the subscriber for obtaining the certificate
• That the Subscriber or Certifying Authority keys are found to have been compromised
• Once revoked, the certificate can no longer be reactivated and it is necessary to restart the entire application process.

In order to revoke the Certificates, it must be the Certifying Authority itself that provides the procedure, which is normally published on its website.

For example, the revocation of a certificate issued by the National Currency and Stamp Factory (FNMT) can take place in three ways:

• Over the Internet: if the holder of the certificate or his representative, in the case of entities, is in possession of the certificate.
• In the Accreditation Office: if the holder of the certificate or representative does not have it for loss, loss or theft, he must be present at one of these Accreditation Offices to, once identified, sign the model application for revocation of the certificate. The Accreditation Offices transmit the records processed to the FNMT daily for the FNMT to revoke the certificate.
• By telephone: 902 200 616. This option should only be used in cases where you are unable to move to an Accreditation Office or where it is not possible to revoke the certificate online.