Skip to main content

Digital certificates in PA Who signed what?

Original article published in BYTIC Media, on 19/10/2022

The Spanish Public Administration has been advancing for years in its digital transformation, a transformation aimed both at improving accessibility to procedures by citizens, and at internal management, which allows institutions more exhaustive control over the numerous processes that are generated daily in such entities.

A process in which, in addition, knowing in real-time who and when authorizes a purchase or a contract on behalf of a public institution is vital, generating great transparency in public management and its actions.

Any type of public body, be it a town hall, a ministerial agency, Autonomous Communities governments, etc. that has numerous employees, applications and networks that require orderly and secure control and management, especially referring to digital certificates that public employees use daily in their work, as well as the automated processes that rely on them.

Having this control over their use is the best way to prevent possible risks, such as identity theft and fraud, or the impossibility of users accessing their online services, which could make different administrative procedures difficult and damage an organization’s reputation.

On the other hand, the Spanish administration must comply with current European regulations which, in the case of digital identity and electronic signatures, are regulated by eIDAS.  

eIDAS defines the standards and regulations for electronic signatures, whether simple, advanced or qualified, as well as for the issuance of qualified certificates and online trust services, while regulating electronic transactions and their management. 

Digital certificates: what they are and what they are used for in the Administration

Digital certificates are computer files that are used to provide a digital identity to a person, organization, or electronic device.

They are issued by recognized Certification Authorities (CAs) – often the same public bodies to establish themselves as such, as in the case of AOC, IZENPE or ISTEC, for example – and are based on asymmetric cryptography. That is, they contain a public and a private key. The first is available to everyone, while the second is known only to the certificate holder. In this way, the privacy of the information exchanged between two users is guaranteed.

The Certification Authorities, whether of private or public origin, are responsible for issuing electronic signature certificates for officials, labour personnel, statutory personnel and authorized personnel at the service of the Public Administration, body, public body or entity governed by public law, in the exercise of its functions for the subscriber of the certificate.

The digital certificate streamlines the completion of different procedures over the Internet, which reduces time, and allows public employees to carry out all kinds of procedures: from closing a public contract formalizing it through a Digital Signature, to any financial transaction that requires identification, access to certain platforms with sensitive information that is conditional on secure and accredited access, etc.

But sometimes, organizations do not have the tools that allow them to know quickly and easily “who signed what”, with the consequent control and security problems that this entails. For this, it is recommended to use comprehensive management solutions for Digital Certificates and Remote Electronic Signatures that allow each authorized employee to use their assigned digital certificates to authenticate and sign, as well as to perform different corporate tasks, avoiding the risk of incorrect use and of fraud.

I am text block. Click edit button to change this text. Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.

Certificates’ centralized management benefits

Having a centralized management solution for digital certificates and remote electronic signatures provides numerous advantages to institutions, since it allows:

  • Issuing and managing qualified digital certificates without having to manually install them on each device, as well as being able to manage third-party certificates. Its administration is done through the roles of administrator, certificate owner, auditor, end user or scope administrator, allowing users to work with the certificates as if they were installed on their workstations.
  • Control their use (who has used them, when, from which device, where and for what) and their renewal and revocation.
  • Implement strict usage policies for certificates based on users or directory groups, date and time, IP origin, program or access URL, etc., warning about the purpose of use of the certificate and with the possibility of requesting references in the processing of the signature.
  • Limit economic losses due to failures in compliance and continuity of operations due to expired certificates, managing notices for their renewal and life cycle control.

In this way, organizations can have control of all their certificates with the highest degree of security and reliability.

Leave a Reply