Issuance and use of dni

The body in charge of issuance and custody of users' centralised digital certificates for the Cl@ve System will be, within the limits of their competences, the Directorate General for Police (DGP), pursuant to Organic Law 2/1986, of 13 March, on State Security Forces and Royal Decree 1553/2005, of 23 December, on the issuance of the National Identity Document and its electronic signature certificates.

To carry out these relevant functions, the DGP uses the Public Key Infrastructure corresponding to the current DNI.

The DGP, within the extent of its competencies, acts as trust and confidence service provider pursuant to Regulation (EU) No 910/2014 of the European Parliament and of the Council on electronic identification and trust and confidence services for electronic transactions in the internal market and repealing Directive 1999/93/EC, in line with the principles of safety, integrity, confidentiality, authenticity and non-repudiation set forth by Law 59/2003 of 19 December on Electronic Signature and Law 11/2007 of 22 June on Electronic Access by Citizens to Public Services.

The issuance of a centralised signature certificate to the citizen may be carried out by means of two procedures: An automated procedure, carried out when signing for the firs time and a manual one, in which the holder may request on a voluntary basis issuance of the certificate.

In any case, the system will inform the citizen of the fact that the certificate is about to be issued and at that time will request them the generation of their keys. 

Signature-creation data must observe the following guarantees:

• Be confidential

• In practice, they will only appear once.

• Reasonable security that the data for creating a signature cannot be found by deduction.

• the signature must be protected by means of a security system designed against forgery by applying the technology available at that time.

• The legitimate signatory must be able to protect his/her signature creation data to avoid it being used by others.

• the data to be signed cannot be modified and must be shown to the signatory before signing.

In any case, generation of certificates must be done in accordance with the requisites set by the law regarding maximum periods of time allowed from the moment when the citizen registered in person.

The IT Division of the Social Security (GISS) shall act as service provider with centralised digital certificate; for that purpose, it must have a backup of the information stored and managed by the DGP required for signature.

On the first screen we may choose the password:

Then we will complete issuance of the centralised signature certificate by writing it on the following section:

Cl@ve system will allow access to electronic signature services; in particular, electronic signature services by means of centralised digital certificates, for the purposes of being submitted to the General Government for those procedures in which signature by means of said digital certificates is required or admitted. The following aspects must be taken into account:

In order to access the service, the user must previously and expressly request the issuance of his/her centralised digital certificates.

To carry out the request, and for subsequent access to the service, the user must have registered in Advanced Level and activated his/her Permanent Cl@ve. Also, at the time of identification, the use of an additional security verification with a one time code, valid for a limited period of time and sent to the mobile phone number of the registered user will be required.

For these purposes, provisions of Royal Decree 1553/2005, of 23 December, on the issuance of the National Identity Document and its electronic signature certificates shall apply.

For any centralised electronic signature process, it must be ensured that said key can only be accessed by its holder; therefore, in order to use it, the citizen must have been previously authenticated with at least 2 authentication factors, such as his/her access password and a one time code (OTP) sent by SMS.

Renewal of the centralised signature certificate may be carried out automatically provided the requirements set forth by the law are complied with regarding the maximum periods of time permitted from the moment when the citizen carried out such registration in person. Otherwise, the citizen must appear in person at a registration office to renew their certification, so that a new activation key be provided to activate its username and certificates again.

In case the renewal may be carried out automatically, it will be done when the citizen is ready to sign and has authenticated to access his/her signature key. If at that time a certificate appears to be expired or close to expiration (up to 2 months before its expiration date), the system will issue new keys, destroying the former ones previously, and protect them by the same means as those used to protect former keys.

In any case, the system will inform citizens that their keys have been automatically renewed, mentioning the new period of validity of same. Under no circumstances will the former keys be revoked; they will be removed from the system in order to avoid any subsequent use of same.

Renewal of signature certificate data or password forgotten:

Renewal after expiration of the signature certificate:

The citizen may renounce the use of the Cl@ve system at any time, even if not registered in same.

Renunciation may be carried out on the site www.clave.gob.es, by logging in and choosing from the user options the one for system renunciation. Said request may be carried out using both DNI or digital certificate or appearing in person at an office. (http://clave.gob.es/clave_Home/registro/Renuncia.html)

Where a citizen renounces the system, his/her centralised certificate will be revoked, if it exists, and electronic access will be disabled both by means of PIN Cl@ve and by means of Permanent Cl@ve to the identification, authentication and Cl@ve electronic signature services.

Renunciation must be documented; therefore, in any of these procedures, the citizen must sign the renunciation request, either by means of a digital certificate (including centralised certificate before it was revoked) or in handwritten form at a Cl@ve office.

The Cl@ve system may manage official revocation of users registered in the system, when circumstances putting the security thereof at risk are present, such as the fraudulent or unfair use of the system or when a substantial modification of the identification data used for registration occurs.

For the sole purposes of informing the user that it has been revoked in light of this procedure, the system may use any of the contact details included in the Registry Database to report such incident.

After revocation, a new registration may only occur when the circumstances triggering same have changed.

Revocation will entail the same effects as renunciation.

Revocation of the certificates will be carried out at the request of the Administration, under the circumstances determined.

Once the certificate has been revoked, the system must guarantee that it cannot be used for a signature process.

The Cl@ve system will automatically manage cancellations of deceased users who are registered. Cancellation in case of death will entail the same effects as renunciation.