Qualified certificate for electronic signature
A qualified electronic signature certificate is your “personal identification document in the electronic world”.
A qualified certificate for electronic signature enables you to:
- access to secure websites (ssl/tls authentication),
- electronic signing of documents and electronic mail,
- electronic signature verification.
The certificate can be issued with or without a registered personal number of a user. Only the electronic signature certificate that contains the user’s personal number can be used for work with state authorities.
The procedure for issuing a certificate for an electronic signature depends on whether the applicant for issuance is a legal or natural person, that is, whether the user of the certificate identifies himself as a natural person belonging to a legal entity or an independent natural person.
It is necessary to announce the arrival by sending an email to info_qca@e-smartsys.com and wait for confirmation of the appointment.
Below you can read more about the procedures for submitting a request and issuing a certificate, activation, unlocking, changing the PIN, but also other important information such as: the price of the certificate and the method of payment, documentation, depending on whether you are in the process of issuing or have a certificate for the electronic signature of the ESS QCA certification authority.
If you are interested in the service of issuing a qualified certificate for electronic signature and agree to the conditions of issuing and using the qualified certificate defined in the documents Certificate Policy (CP) and Certification practice statement (CPS), you can submit a request for the issuance of a qualified certificate by filling out the online form on the page Submitting a request.
To begin with, it is necessary to verify the e-mail address that will be entered in the qualified certificate you are applying for. You will receive a one-time link to the entered e-mail address from which you can continue the data entry process for issuing the desired certificate.
Entering information about the applicant for a qualified electronic signature certificate differs depending on whether you are applying as a natural person, a member of a legal entity, or an independent natural person. When entering, pay attention to the explanations on the online form itself and enter all the necessary data, taking care of their accuracy.
After clicking Submit request, depending on whether the request is validly filled out, you will receive instructions on the further steps of the process to your email address.
A qualified electronic signature certificate is issued only to a successfully identified user. In the process of issuance, a qualified certificate for electronic signature is entered on the previously prepared QSCD device (smart card) in the ESS QCA certification authority.
If the user declares that he will wait for the issuance of the qualified certificate, along with the certificate on the selected device, the user is given an envelope with the PIN code used to activate the private key of the qualified certificate and the PUK code used to unblock the PIN code. Otherwise, the certificate will be delivered by a courier service that delivers the certificate to the user only after confirming the user’s identity, and an envelope with PIN and PUK codes will be delivered by regular mail.
When downloading, the user signs the Download Confirmation .
The prices of electronic signature certificates depend on the type of device and the duration of the certificate that the subscriber/user chooses. The prices of all varieties can be seen in the Price List.
The ESS QCA certification authority issues qualified certificates for electronic signature with a duration of one to five years. In the case of foreign nationals (to whom the qualified certificate is issued on the basis of a passport), the duration of the certificate is limited by the duration of the passport (if the duration of the passport is shorter than the duration of the certificate).
For legal entities, it is possible to pay by invoice, as well as cash and payment cards in the registration body itself. On that occasion, a cash invoice is issued to legal entities.
Natural persons can pay for certificates with cash or payment cards.
Whether the user collects the certificate from us or the certificate is delivered to his address, personal collection is mandatory and the only possible.
Complete documentation regarding the conditions for issuing and using qualified certificates for electronic signature can be read on the website of the Certification authority. The documentation is divided into General documentation (applies to all) and documentation for the user of the electronic signature certificate, which is different for legal and natural persons.
In order for the qualified certificate for electronic signature to work properly, it is necessary to follow the guidelines given in the document Instructions for the use of the qualified certificate for electronic signature. The download page contains all necessary certificate and software installations.
The certification authority ESS QCA, upon issuing a qualified certificate for electronic signature, suspends it. The suspension after issuing the certificate is a protection measure against the compromise of the QSCD device during transport to the user.
The user via the online service, on the Activation link, activates the certificate using two parameters:
• a one-time activation code (JAK) that was sent directly to the user via SMS and
• unique user identifier (UIK) printed on the QSCD device that was handed over.
The PIN change procedure can be performed through the QCA QSCD Manager application by following the simple instructions on the application itself. You need to have your QSCD device with a qualified certificate with you – smart card (and appropriate reader) or token, as well as the PIN code you received in the PIN envelope. You can find an explanation of this procedure in the document Instructions for using a qualified certificate for electronic signature.
The user can submit a request to unlock the device with a qualified electronic signature certificate. The request must be submitted in person at the RA . When submitting a request for unblocking, it is necessary to attach the blocked device. After the identification of the user, the device is unlocked and then a PIN envelope is printed, which is delivered to the user together with the unlocked device.
For certificates issued after 04/05/2021.
The PIN unblocking procedure can be performed independently by the user through the QCA QSCD Manager application following simple instructions on the application itself or explanations from the document Instructions for using a qualified electronic signature certificate. In case of entering the wrong PUK in the PIN unblocking process two (2) times, independent PIN unblocking is no longer possible. In this case, device unlocking can only be performed by the ESS QCA Certification authority. The use of other application solutions for changing/unblocking is not recommended, as the card may be permanently destroyed in this way.
Users can check the current status of their certificate on the following link – Status.
By entering one of the two possible parameters – the user’s unique identifier or the serial number of the certificate and clicking on the Check status button, you will see information about the status of the certificate, the validity dates of the certificate – valid from and valid until, as well as the date from which the current status of the certificate is in effect.
You can request data changes in ESS QCA only for qualified certificates issued by the ESS QCA certification body . When opening the online form for submitting a request for data change, the user must authenticate with the certificate that is the subject of the data change.
If during the validity period of the qualified certificate for electronic signature, there is a change in the data entered in the certificate, the subscriber/user submits to the registration body ESS QCA a request for data change via an online form .
Data that can be changed are name or surname or e-mail address .
The procedure for changing the data entered in the certificate is identical to the procedure for issuing a new qualified certificate for an electronic signature, which includes the creation of a new smart card/USB token. The existing qualified certificate is revoked after the activation of the new certificate. The costs of issuing a new qualified electronic signature certificate shall be borne by the subscriber/user.
If the subscriber/user does not want to issue a new certificate with changed data, he must submit a request for revocation of the existing certificate containing old/invalid data.
Suspension
The subscriber/user, if necessary, can submit a request for the suspension of the qualified electronic signature certificate.
In the request, it is necessary to state the reason for suspension and the desired number of days of suspension. The maximum number of days of suspension is 30. After the suspension expires, the status of the qualified electronic signature certificate automatically changes to active.
Revocation
The subscriber/user may submit a request for revocation of a qualified electronic signature certificate. The reason for revocation may be withdrawal of consent, loss of QSCD device or something else. Revoking a qualified electronic signature certificate is a permanent action and it is impossible to change the status of a revoked qualified electronic signature certificate to active.
In the request, it is necessary to state the reason for revocation.
The results of the suspension/revocation request processing are visible by publishing the CRL. The CRL is published every day at 8:00 AM.
The reissuance of a qualified certificate can be done if the existing qualified certificate is valid/active and within a period of 30 days until the certificate expires. When opening the online form for submitting a request for reissuance, the user must authenticate with the certificate that is the subject of reissuance.
In the case of reissuing a certificate for an individual member of a legal entity entity , it is necessary to fill out an online form for reissuance . Based on the completed form, a preliminary invoice is created and delivered to the legal entity, the subscriber, via e-mail address. After recording the subscriber’s payment, the further procedure is identical to the procedure for issuing a certificate for an electronic signature, which includes the creation of a new smart card/USB token. In this case of reissuing the certificate no re-identification of the user is required, so, in addition to personal collection in ESS QCA, the user can choose to have the created certificate sent to the address of the legal entity. For the purposes of sending the certificate by mail, the registered address of the legal entity will be used exclusively, and the costs of sending the certificate will be borne by the subscriber.
In the case of reissuing an electronic signature certificate for an independent natural person, it is necessary to fill out an online form for reissuance . The procedure for reissuing is identical to the procedure for issuing a certificate for an electronic signature, which includes the creation of a new smart card/USB token. In this case, the identification of the user is necessary, so the natural person, the applicant, must bring a valid identification document: an identity card for citizens of the Republic of Serbia or a passport for foreigners.