Cl@ve is a system of Identification, Authentication and Electronic Signature for citizens common to the entire Public Administrative State Sector, based on the use of agreed keys, as provided for in Article 13.2.c) of Law 11/2007 of 22 June, on the electronic access of citizens to public services and in accordance with the European Regulation of Identity and Electronic Signature 910/2014.

The main novelty incorporated in the Cl@ve system is the possibility of making electronic signatures by means of centralized electronic certificates, i.e. electronic certificates stored and guarded by the Public Administration.

These centralised certificates, or “cloud certificates” allow the citizen to sign electronic documents from any device that has an Internet connection and no additional equipment.

In order to use the centralised signature, the following steps must have been taken in advance:

1. Advanced Level Registration in the Cl@ve system: the citizen provides his registration data in the system, either in person in an office with a public employee enabled for this purpose, or in a telematics way, after authentication of the citizen by means of a recognized electronic certificate.
2. Activation of the Cl@ve Permanente; obtaining credentials of access to the system by means of user identifier and password, which must be guarded by the citizen. Password validity is limited in time. Additionally, and where required by the type of procedure, the permanent Cl@ve identification modality may provide a level of guarantee in higher authentication, by means of an additional security verification through a single use code (OTP, “One Time Password”) that is sent to the user’s mobile device. Password security requirements for this system will be published on the Cl@ve portal.
3. Production of the signature certificate. This action can be carried out automatically at the time of first signing, or at any other time at the will of the user.

The certificates necessary to be able to perform a centralized signature are issued and guarded by the Police Directorate-General. Such custody is carried out safely, so that only the owner of the certificate can have access to them. The Social Security Information Technology Management (GISS), is a Trust Service Provider, along with the DGP, which is also a Signing Authority. The GISS is responsible for the safekeeping of a backup of certificates with the same level of security as the original file.

The issuance of the Certificate shall be associated with the physical support of the document used for registration in Cl@ve and shall be, in the case of Spanish citizens, the National Identity Document, in the case of Community aliens, the Certificate of Registration of Citizen of the Union, accompanied by the Passport or Identification Document of the country of the data subject, and in the case of foreign citizens the Foreign Card. The expiry of these documents shall be accompanied by the expiry of the certificates associated with them.

The duplicate identification documents referred to in this document, for reasons of deterioration, loss or theft, shall not necessarily entail the revocation of the centralised certificates, and those already issued with the original document may be maintained.

The signing process is done with the highest level of security, which implies that the reinforced mode of Cl@ve permanente will be used, that is, that in which in addition to introducing the user and the password or Cl@ve permanente, the password of a single use must also be provided, which will be received by means of an SMS sent to the phone associated with the holder of the certificate at the time of registration.