If you are reading this post, you have probably encountered the problem that your electronic signature, made with the digital certificate of the Fábrica Nacional de Moneda y Timbre (FNMT) cannot be validated. In fact, in some platforms (such as Viafirma Platform) we do not even allow it to be done. But, what is online validation? why is it necessary to sign electronically? what happens if I don’t validate my signatures? Don’t suffer, I explain everything below.
Online validation: What and why?
One of the uses of electronic certificates is to verify the electronic signature made by the policyholder. However, the electronic signature of a given document must be verified at the time of its use, since the user may have invalidated the certificate prior to the execution of the signature due to revocation, suspension or expiration of the certificate for the corresponding legal reasons.
Therefore, whenever a certificate is used to generate an electronic signature, the validity (validity) of the signatory’s certificate must be checked in real time.
FNMT online validation
Normally, all digital certificates are validated at the time of signing, most of them without any problem, however, with the FNMT digital certificate we have a particular case that differentiates it from other CAs; certificates issued by the FNMT cannot be validated at the time of signing because its validation server requires a fee (yes, yes, you have to pay) to access it if you do not belong to the public sector, that is, the FNMT charges the private sector to validate their certificates.
Since early 2011, after an investigation by the National Competition Commission, the FNMT was also forced to offer a “Wholesale Contract” to third party resellers, as would be the case of Viafirma, for its on-demand services (cloud-computing), where we provide validation services. In this case the FNMT charges an amount for each validation done around 5€ (!!!). So providing these services would mean that our customers would have to pay very high costs to sign with these certificates.
FNMT online validation: Solution
Being a bit more technical, the access to the verification sources, specifically to its LDAP, for “non-public” certificate types, is regulated by user/pass, and the access rights are acquired individually by the different signature platforms. If we talk about Viafirma Platform in its on-premise modality (license), if we have these access credentials, it would be enough to configure these parameters to access the LDAP with the user/pass that we inform you.
Another less elegant option is to allow the signature without the need to validate the certificate used, since the final validity of a signature must be decided by the recipient (i.e., it is the recipient’s responsibility to accept an unvalidated signature). For this, in viafirma platform we can also disable the online validation of the certificates thanks to our optional complement for the administration, configuration and personalization of the signature platform; viafirma manager.
As a conclusion, we can state that Viafirma supports these certificates without validating them, except for the cases in which the client has user/pass to access the FNMT validation server. As a recommendation, if it is a private company, it will always be less cumbersome and in the long run less expensive to obtain digital certificates issued by other CAs.