Management, auditing and signature delegation using cloud certificates

In the digital world, electronic certificates are a must to perform any business or personal operation, protecting the identity of the owner.

The problem may arise when you lost your digital certificate and/or password, or in case you use more than one certificate (eg., yours and the company’s).

Another scenario may be when allowing the use of your certificates and passwords to other people when going on holiday, making sure that whoever has access will will make good use of them.

Ideally, the solution would be to look for a platform that is able to centralize certificates allowing the user to manage both personal and corporate certificates wherever.

To better understand this, let’s clarify the following questions:

What is a centralized certificate?

A centralized or cloud certificate means that it is stored on a secure server (HSM). An HSM is a hardware-based cryptographic device that generates, stores and protects cryptographic keys.

The user has access whenever they want to eSign a document, after robust identity authentication

Robust identification requires at least two identification procedures that can be:

  • Something that “the user knows” (password)
  • Something “the user has” (key card, token SMS, token OTP)
  • Something “the user is or does” (signature, utterance, fingerprint, iris etc).

Thus the certificate is never in the hands of the owner, but can be accessed when required. Therefore the user can authenticate without installing any certificate or software on the device.

When using a centralized certificate, is it considered advanced or qualified electronic signature?

The answer can be found in Regulation (EU) nº910 / 2014 of the European Parliament and of the Council (eIDAS), which currently regulates eSignatures in EU member countries and which includes the classification of electronic signatures.

Both signatures:

  1. Are uniquely linked to the signatory. The certificate is linked to the signatory
  2. Allow to identify the signatory. The certificate contains the necessary authentication data for this purpose.
  3. Must have been created with certified means for creating signatures, where the signatory can use with high level of trust and under their sole control.
  4. Are linked to the signed data so that any subsequent alteration can be detected.

The only thing that differentiates both types of signatures is where was the certificate generated. If the certificate used is contained within a cryptographic card without the possibility of downloading it, such as the DNIe/eID card, or was generated directly on a secure server (HSM), for example the certificate generated in Viafirma Fortress issued by a Trust Service Provider.

Comprobación del nivel de seguridad al firmar

What are the advantages of using a cloud certificate?

  • The user can have 1 or more centralized certificates on a single platform and establish security levels for their use.
  • These certificates can be used on any device. Certificates will not be placed physically in each workplace.
  • To make use of the certificate you can define strong identification measures.
  • The user may delegate the certificate to others, wherever and whenever, restricting their use to certain dates or times, as well as to certain URLs or applications
  • Depending on the legal framework, users may use the certificates that others have delegated to them.
  • All operations carried out are audited in detail. User can know where and when the certificate was used.

Some use case scenarios:

  • A company with 50 certificates, one per delegation nationwide. It uses them for internal operations, but has only 2 employees who carry out administrative work in each office and they must reach an agreement to go on holiday.

What could be done thanks to a certificate centralization tool?

A user administrator of the company could be the owner of 50 certificates and sets security policies for each. For example, one certificate can only be used for the URL https://www.agenciatributaria.es/AEAT.internet/en_gb/Inicio.shtml from Monday to Friday during office hours (from 08:00 to 15:00).

For each of the offices this certificate is delegated to the employees in charge of the procedures.

Thanks to this configuration we will obtain total control over the use of company certificates, improving security and making it easier for employees to manage them.

  • A self-employed person has signed up for the services of a company to help him declare his/her taxes and to check overall operations. The real case is that these type of companies have control over the certificate and know their private key to carry out any operation with it. In this case the level security is zero.

Centralized certificates would allow this person to store their certificate on a secure server and restrict their use to one specific URL, without the neede to provide the private key.

Another important fact is that user can check the operations that are being carried out.

  • Also in the case of CEOs and executives, since they usually have a large workload and need to sign when they are out of the office, they must tell someone to make a list of the documents to be signed. In this case, it would be advisable to delegate the certificate and never giving away private keys.

These features explained above can also be enriched by combining other solutions such as Viafirma Inbox that will also allow users to manage the documents to be signed within the company (e.g., contracts, payrolls, agreements, consents, parcels, etc.)

As you can see, centralizad certificates only bring advantages. What are you waiting for?