The entity responsible for issuing and safeguarding centralized electronic certificates of users of the Cl@ve System, will be, in the exercise of its competences, the General Directorate of the Police (DGP), in accordance with Organic Law 2/1986, of March 13, on Security Forces and Royal Decree 1553/2005, of December 23, which regulates the issuance of the National Identity Document and its electronic signature certificates.
To perform these functions, the DGP uses the Public Key Infrastructure corresponding to the currently existing DNI.
The DGP, in the exercise of its powers, acts as a provider of trust services in accordance with Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC, and in accordance with the principles of security, integrity, confidentiality, authenticity and non-repudiation provided for in Law 59/2003 of 19 December on Electronic Signatures, and in Law 11/2007 of 22 June on Electronic Access of Citizens to Public Services.
The issuance of a centralized signature certificate to the citizen can be carried out through two procedures: One automated, which will be done at the time of the first signature and another manual in which the holder can request the issuance of the certificate voluntarily
In any case, the system will inform the citizen that his certificate will be issued and will request at that time, the generation of his keys.
The creation data will observe the following guarantees:
Your confidentiality
They will only appear once in practice.
There will be reasonable assurance that the signature creation data cannot be found by deduction.
The firm will be safely protected from counterfeiting by the technology available at this time.
The legitimate signer must be able to protect his signature creation data from being used by others.
The data to be signed may not be altered and must be shown to the signer before signing.
In any case, the generation of the certificates must be made in accordance with the requirements that the law marks with respect to the maximum periods allowed since the citizen made the face-to-face registration.
The Social Security Informatics Management (GISS) will act as a provider of signature services with centralized electronic certificate, for which it will have a backup of the information stored and managed by the DGP necessary for the signature.
On a first screen we will choose the password:
Then we will finish the issuance of the centralized signature certificate by writing it in this section:
The Cl@ve system will allow access to electronic signature services, in particular, to electronic document signature services through centralized electronic certificates, all for the purpose of their presentation to the Public Administrations in those procedures in which the signature through electronic certificates is required or admitted. The following considerations will be taken into account:
In order to access the service, the user must previously and expressly request the issuance of their centralized electronic certificates corresponding to the document used for registration in Cl@ve for centralized signature.
To make the request, and for subsequent access to the service, it will be necessary in any case that the user has registered in Advanced Level and has activated his permanent Cl@ve. In addition, the use of an additional security check using a single-use code and limited validity in the time that will be sent to the registered user’s mobile phone will be required at the time of identification.
To this end, the provisions of Royal Decree 1553/2005 of 23 December, which regulates the issuance of the national identity document and its electronic signature certificates, are applicable.
In any centralized electronic signature process, it must be guaranteed that access to said key can only be made by the holder of it, so for its use, the citizen must have been previously authenticated by means of a minimum of 2 authentication factors, such as his access password and a single-use code (OTP) sent by SMS to his mobile.
In order to adapt the use of Cl@ve Signature certificates to the requirements of the eIDAS Regulation, which requires that in order to use recognized electronic certificates, in this case to sign, the renewal of the registration must be guaranteed with guarantees of High registration level (also called advanced level registration). Specifically, these guarantees require face-to-face or telematic registration using the Electronic ID, since with the rest of the electronic certificates it cannot be guaranteed that this requirement has been met.
In order to comply with this requirement, a new option has been added in the Cl@ve Registration application that allows you to perform the Renewal of registration at a high level under the conditions laid down in the eIDAS Regulation. In this way, a citizen can go to a Registry office to request the renewal of their registration and the Registrar must use this new option. The citizen will also be able to access with his/her electronic ID to the Cl@ve registration option and carry out this renewal process.
How does the citizen know that he must carry out this renewal?
This change only affects citizens registered in Cl@ve and who use the Cl@ve Signature service. When a citizen goes to make an electronic signature with Cl@ve Signature, if he does not meet the requirement of 5 years since the last time he physically moved to a registration office or used the electronic ID to perform an action in the Cl@ve Registration, he will be informed that in order to use Cl@ve Signature, he must perform this process of renewal of the registration in Cl@ve.
The citizen can renounce the use of the Cl@ve system at any time, even if he has not registered in it.
La renunciation It can be carried out in the portal Cl@ve, identifying himself before him and choosing in the user options the one to renounce the system. Indistinctly you will be able to make this request using a DNI or recognized electronic certificate or in person in an office.
If a citizen renounces the system, his centralized certificate will be revoked, if it exists, and his electronic access will be disabled both by Cl@ve PIN and by Cl@ve Permanente to the services of identification, authentication and electronic signature Cl@ve.
The waiver must be documented, so in any of these procedures the citizen must sign the request for waiver, either with an electronic certificate (including its centralized certificate before being revoked) or in a handwritten form in a Cl@ve office.
The Cl@ve system may manage the revocation ex officio of registered users in the system when there are circumstances that put the security of the system at risk, such as fraudulent or unfair use of the system or when there is a substantial modification of the identification data used in the registry.
For the sole purpose of informing the user who has been revoked in application of this procedure, the system may use any of the contact details included in the Registration Database to inform you of this incident.
The revocation may only give rise to a new discharge when the circumstances that caused the revocation have been modified.
The effects of the revocation will be the same as those of the waiver.
The revocation of the centralized certificates will be carried out ex officio, by the Administration in the circumstances that are determined.
Once a certificate has been revoked, the system will ensure that it can never be used during a signing process.
The Cl@ve system will automatically and ex officio manage the loss of the deceased users who are known and registered. The effects of the death penalty will be the same as those of the waiver.