What you should know about signing with certificates and qualified signatures

Modified on Tue, 11 Jun at 1:30 PM


Certificates as an option for electronic signing

There are a number of ways to sign electronically. The related EU directive eIDAS defines electronic signature broadly as "any electronic data used to identify a person attached inseparably to an electronic document". Thus, electronic signatures can be:

  • biometric signatures on touchscreen devices,

  • via Bank Identity services, called BankID,

  • electronic certificates,

  • and many other methods.


Electronic certificates are therefore one of the technological options for electronic signing. From a legal perspective, they can provide 3 levels of signatures:

  • Qualified - the highest, where an electronic certificate for a qualified signature issued by a certification authority is used; assuming proper identification of the person; stored on a qualified means - key, card, ID card or other appropriate storage, but from where it cannot be copied further; mandatory for public administration meetings, on documents for registration in the cadastre, etc.,

  • Accepted - with a qualified certificate stored outside the qualified means, i.e. e.g. in a regular certificate store on an MS Windows computer; e.g. for dealing with public administration,

  • Simple or Guaranteed - using commercial certificates; simpler person identification is used to issue them and is cheaper.


Qualified certificates are universally applicable and should not depend on the country of the certificate issuer. Unfortunately, for the use of electronic certificates for dealing with public administrations, some authorities in some countries have set additional requirements for certificates.
 
For example, when dealing with the Czech Ministry of Labour and Social Affairs, the Financial Office, the Social Security Agency and the Labour Office, the qualified certificate must also contain the so-called Ministry of Labour and Social Affairs Identifier (= MPSV IK). This is normally inserted into the certificate when issued by certification authorities in the Czech Republic, e.g. Post Signum or I.CA.


Where to get certificates and qualified means for electronic signatures

  • Certificates are issued by different issuers and the corresponding services are provided. Certificates for qualified signatures are issued by certification authorities supervised by individual states in accordance with the Trust Services Act or the EU eIDAS Directive. In the case of the Czech Republic, e.g. Post Signum of the Czech Post or I. Certification Authority supervised by the Ministry of the Interior of the Czech Republic. You can contact them with a request for certificates.

  • You can also use qualified certificates issued by authorities in other countries for signing in Signi.

  • Certification authorities or other organizations can also issue commercial certificates, where the level of authentication is not as high and their issuance is cheaper.


Storing certificates on qualified resources

One of the places where certificates can be stored is in the so-called "qualified means"Qualified Electronic Signature Creation Device (QSCD):

  • These allow the certificate to be uploaded to itself, but cannot be copied from them, unlike, for example, a folder on a computer or a USB stick. This significantly reduces the risk of the certificate being stolen.

  • It can sign a document when it receives a PDF and returns it with a signature, for this a PIN is required, i.e. even if the resource is stolen no one can sign with it.

  • There are 3 types: cards, tokens, HSM - Hardware security module.

The prerequisite for a qualified signature according to eIDAS is the storage of a qualified certificate on the qualified means.


Different types of qualified resources.


Validity of qualified signatures and certificates across EU countries

European legislation (Regulation 910/2014 or eIDAS - https://www.ica.cz/Userfiles/files/dokumenty/eIDAS_en.pdf states that only "a qualified electronic signature based on a qualified certificate issued in one Member State shall be recognised as a qualified electronic signature in all other Member States" (Article 25(3))


The definition of a qualified electronic signature is set out in Article 3(12) of eIDAS ("qualified electronic signature" means a guaranteed electronic signature that is created by a qualified means for creating electronic signatures and that is based on a qualified certificate for electronic signatures).


List of qualified trust service providers

The official EU trusted list of all qualified trust service providers (QTSPs) is available here EU Trust Services Dashboard (europa.eu). A similar list for the Czech Republic is also available on the website of the Ministry of Interior of the Czech Republic (it contains only QTSPs from the Czech Republic) List of qualified trust service providers and qualified trust services - Ministry of Interior of the Czech Republic (mvcr.cz).


List of qualified resources

These Qualified Signature Creation Devices (QSCDs) are defined by eIDAS in Articles 29 and 30 and Annex II and their list (trusted list) is available here.


In the context of qualified signatures and certificates, Signi is not a Trust Service because it does not issue certificates or qualified resources, it only allows users to use them.


Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article