Blog - Cryptomathic

What is a Qualified Digital Certificate for Electronic Signatures in eIDAS

Written by Dawn M. Turner (guest) | 06. July 2016

Under the eIDAS Regulation (EU) No 910/2014, a qualified certificate for electronic signature refers to “a certificate for electronic signatures, that is issued by a qualified trust service provider”  and meets the requirements specified within the regulation. To be a qualified trust service provider, the entity must receive qualified status from its member nation’s supervisory body that authorizes that entity to provide qualified trust services to be used in creating qualified electronic signatures.

The provider must be listed on the EU Trust List in order to be considered qualified.

The qualified trust service provider must abide by the strict guidelines of eIDAS while performing their duties. Included as part of the qualified certificate process:

  • A valid date and time must be provided by the qualified trust service provider for creating certificates
  • Immediate revocation of signatures with expired certificates
  • Employees of the qualified trust service provider must receive appropriate training
  • Service providers must use equipment and software that is trustworthy and able to prevent forgery of certificates

Requirements for Qualified Certificates

According to the requirements listed in Annex I of eIDAS, qualified certificates for electronic signatures must contain:

  • An indication that is identifiable through automated processing that the certificate is a qualified certificate for electronic signatures
  • A data set that clearly represents the qualified trust service provider who issued the qualified certificate, including such information as the: 
    • Service provider’s Member State where the entity is established
    • Name and registration number if the provider is a legal person
    • Name of the provider if he or she is a natural person
  • Name of the signatory or indication if a pseudonym is used
  • Corresponding electronic signaturevalidation data and electronic signature creation data
  • Information identifying the certificate’s period of validity from start to finish
  • Qualified trust service provider’s unique certificate identity code
  • Issuing qualified trust service provider’s advanced electronic signature or electronic seal
  • Location of where the certificate that supports the advanced electronic signature is available free of charge
  • An indication, preferably in automated processing form, of where the electronic signature creation data associated to the electronic signature validation data is located in the qualified electronic signature creation device

Additional Specifications for Qualified Certificates for Electronic Signatures

Qualified certificates for electronic signatures will not be subjected to mandatory requirements that exceed the requirements from Annex I listed above. Non-mandatory additional specific attributes may be included in a qualified certificate for electronic signatures, provided they do not interfere with the recognition or interoperability of qualified electronic signatures.

In a case of where a qualified certificate for electronic signature is revoked after being initially activated, the certificate will lose its validity from the time of the revocation and cannot be reverted. EU member states may temporarily suspend a qualified certificate for electronic signature through national rule if:

  • The qualified certificate for electronic signature loses its validity because it has been temporarily suspended
  • This temporary suspension period must be clearly indicated within the certificate database and the suspension status must remain visible during the suspension period.

Further changes may be made by the European Commission by implementing acts to establish reference numbers of standards regarding qualified certificates for electronic signatures.

Legal Implications of a Qualified Certificate for Electronic Signatures

A qualified electronic signature offers the highest tier of probative value in court making it very difficult to deny its authorship. Member states throughout the EU are required to recognize the validity of a qualified electronic signature that has been created using a qualified certificatefrom another member state. A qualified electronic signature with a qualified certificate carries the same weight as a handwritten signature in court.

 References and Further Reading