A digital certification is a technology developed to ensure the authenticity of the people and companies involved in electronic transactions of all kinds. With it, the preservation of the integrity and anonymity of the information used (such as name, CPF, bank details, among others) is ensured by encryption methods, used to make your data unreadable to those who are not involved in the transaction. In other words, scrambling everything so that wrongdoers cannot access your information, even if they manage to hack the system in question.
Encryption and the way data is made secure provide confidentiality and authenticity for those involved in the transaction. This is due to the fact that the information is accessible only to authorized people and organizations (in other words, those who have the key that will decrypt the information used), in the proper format to carry out said transaction. Both encrypting and decrypting require the key that will scramble or unscramble the data, which only those involved in this exchange possess, thus ensuring the legitimacy of the people involved in the transaction.
As for integrity, the encryption of the data has a unique code that ends up changing when the information that was hidden is altered. In this sense, the key of the party that will receive the information will not be able to decrypt information that has been tampered with, showing that the information was compromised before the transaction was carried out. This way, the parties in question can feel safe at every stage of the process, ensuring both the legitimacy of the buyer's identity and the security and anonymity of the data provided.
But who actually issues the Digital Certificate?
Because it is a technology that many industries and businesses depend on, the service responsible for issuing digital certificates needs to be properly regulated and carefully carried out. As such, the need for regulatory bodies to ensure the reliability of the institutions authorized to issue said documents created the need to separate the issuing and regulating functions.
Not only that, the steps are divided into two in Brazil, where one gathers the documents and verifies their legitimacy so that the other can issue the certificate in question. These entities are the Certificate Authorities (CA) and Registration Authority (RA).
The Certificate Authorities are tasked with linking an identity to a key, and thereby producing the digital certificate of the individual or institution in question. The Registration Authorities, on the other hand, were designed to ensure the legitimacy of the identities associated with the keys.
That is why a Registration Authority can request digital certificates from the CAs, or ask that they be revoked, but does not have the permission needed to issue them. Control over the CAs, in turn, is exercised by the Root CA before services begin, based on the rules laid down by ICP-Brasil.
In addition to the initial audit, an audit is carried out annually to analyze how well the institutions comply with the rules and requirements of the regulatory body, headed by the audit team of the Instituto Nacional de Tecnologia da Informação (ITI) to verify compliance with them.
The list of accredited CAs can be found on the ITI official website. Cada órgão emissor possui diferentes critérios e requerimentos para a emissão de documentos, fazendo com que o preço mude dependendo da instituição escolhida. Dessa maneira, o ideal é pesquisar antes de escolher a instituição pela qual você tirará o seu certificado.
For example, for brokers and brokerage firms dealing with health, life, capitalization and private pension insurance, in the state of São Paulo, the most suitable institution is AC Sincor – RFB. Já para empresas de serviços contábeis e assessoramento, perícias, informações e pesquisas há a ACFENACON Certisign RFB. O ideal é se informar para saber qual é a instituição que mais se adequa à sua atividade, evitando assim retrabalhos e contratempos na digitalização dos processos burocráticos do seu negócio.
What makes a Certificate Authority trustworthy?
The reliability of a Certificate Authority is completely and undeniably tied to the procedures it implements with regard to validating the applicant's identity. The purpose of the certificate in question also affects the amount and depth of the information requested, since certificates aimed at more complex activities, whose service is essential to the public in question, require more levels of verification than activities considered simpler.
In this sense, the certificates used in email signatures, attesting to the sender's identity, need much simpler levels of validation than brokerages, insurers or medical professionals. For example, ICP-Brasil's digital certificates, because they deal with larger companies and larger volumes of contracts, documents and money, require greater formalities to safeguard the integrity of the company in question.
In Brazil, ICP-Brasil itself is the benchmark when it comes to the authenticity and validity of digital certificates. Therefore, any certificate issued by the body can be considered authentic and trustworthy, legally backed by Medida Provisória 2.200-2. Dessa forma, quem duvidar ou questionar a validade desses certificados deverão comprovar a sua irregularidade.
According to Cristian Thiago Moecke, Master in Computer Science and a contributor at BRy Tecnologia, “If the CA is affiliated with ICP-Brasil, you can trust the credentials it issues, unless they have been revoked or have gone past their expiration date. On the other hand, if it isn't, look into the policies and procedures used by that CA. Check whether they establish the appropriate purpose of use for the certificate and whether there is an agreement signed between the interested parties that guarantees mutual trust in the use of the private digital identity.”
How does the issuing process work?
Even though the issuing bodies specialize in different areas of business activity, the process of issuing the Digital Certificate is similar when it comes to obtaining it. In this sense, the rules and requirements defined by ICP-Brasil are followed, in their general terms, by all of them. The process consists of the following steps:
1. Requesting the Certificate
The request is made on the Certificate Authority's website through an electronic form that must be filled out by the applicant. On the form, various pieces of the applicant's data will be requested, from full name and date of birth to the individual's CPF. Once complete, it is sent to the body for verification of the data.
This is done through an in-person visit to attest to the legitimacy and authenticity of the data previously provided. The visit can be scheduled, which allows the process to be finished quickly.
For the e-CNPJ, you need to provide the following data:
- CNPJ number
- CPF number of the CNPJ's Legal Representative
- Date of Birth of the CNPJ's Legal Representative
- Company Name as recorded in the CNPJ
- City
- State
- Name of the Person Responsible for the Digital Certificate
- Date of Birth
- CPF
- Postal Code
- Telefone
- Password
In-person validation, unsurprisingly, is done to attest to the validity of the data provided. The applicant must go to the predefined location for said step, at a scheduled date and time. When going to the Registration Authority's service point, the applicant must bring their identity documents – such as CPF, CNH or RG -, as well as other documents requested by the RA.
An authorized agent validates the paperwork and files the applicant's documents, authorizing the issuance of the certificate at the end of the process.
3. Issuing the Certificate
The certificate is issued only upon the confirmation and verification of the authenticity of the documents required by the institutions, through the agents of the Registration Authority itself. To ensure the validity of the documents, at least two agents of the institution in question must state that the in-person validation went ahead without irregularities regarding the delivery of the documents and data requested.
Some Certificate Authorities integrate this step into the in-person validation, giving the applicant a token or card containing the certificate when they come to prove the legitimacy of the data provided.
4. Installing the Certificate
In the case of issuance after the in-person validation, the issuing body will send an email to the applicant when the certificate is ready to be picked up. For category A1, Digital Certificates are installed directly on the user's computer. However, there are technical system specifications for installing and using Digital Certificates. The requirements are:
- Java – version 7 or higher
- Driver installed for the token or smart card (for A3 certificates)
- Chrome – version 33 or higher
- Internet Explorer – version 9 or higher
- Firefox – version 17 or higher
- Linux – version 37 or earlier
How much does a certificate cost, and how long does it last?
Digital certificate prices vary depending on the issuing body and the type of certificate. CAs that provide this service to specialized companies, and therefore have more validation levels, tend to be more expensive, but also more reliable. That said, any entity associated with ICP-Brasil carries the public seal of quality, both because it is an entity linked to the government framework and because it undergoes the ITI's strict audit processes.
Among the options offered by Correios, there are A1 certificates and A3 certificates, whose difference comes down to their validity period. The Correios portal offers this service, pricing it according to the validity and type of certificate you want. For the e-CPF, the A1 certificate is valid for 12 months, while the A3 can be used for 36 months, costing R$ 103.27 and 127.20 respectively. For the e-CNPJ, the validity is the same, with the A1 costing R$ 167.67 and the A3 R$ 252.18.
Now that you know what to look out for when getting your digital certificate, find out what it can be used for. Remember: even though the CAs officially linked to ICP-Brasil are legally backed by the State, there are others with more secure processes, offering higher levels of encryption and validation of the required business information.
Look into the encryption and document issuing processes before digitizing your company's paperwork, so that sensitive, essential documents and information from your business are not intercepted by bad actors and malicious attacks. That way, you will enjoy both the convenience of simplified paperwork and the security provided by digital certificates.
Spreadsheet Kit to Simplify Your Restaurant
Download your free kit now!