What is a qualified certificate (qualified electronic signature)?

In the contemporary world, digital technologies play a pivotal role, particularly in the business sector, where ensuring the security of personal data and online transactions is a top priority for organizations. In this context, a pertinent question arises: what is a qualified certificate? 

The article explains why a qualified certificate is so important in today’s digital world.

What is a qualified certificate? 

A qualified certificate is a special case of the so-called digital public key certificate, which is one of the elements of the PKI (Public Key Infrastructure). PKI technology finds extensive applications, encompassing remote authentication of people and e-services, ensuring information confidentiality, and establishing legal instruments such as electronic signatures and electronic seals, among others.

A qualified certificate is a key tool in the realm of digital transactions, guaranteeing the security of electronic legal transactions. Understanding its role becomes imperative in the context of the escalating digitization of services and business processes.

A qualified certificate is a digital tool used to verify qualified electronic signatures or qualified electronic seals. Regarding a qualified electronic signature, its positive verification affirms the integrity (originality) of the signed document and the identity of the person who signed the document. On the other hand, in the case of a qualified electronic seal, the confirmation relates to the integrity and source of the document. This entails identifying the entity that affixed the seal while ensuring that the document’s content remains unchanged (deliberate or inadvertent manipulation) after the seal was affixed.

The legal system makes a critical distinction between two instruments: electronic signature and electronic seal. This distinction leads to the usage of specific terms such as electronic signature certificate and electronic seal certificate. Those signatures and seals, along with their corresponding certificates, which meet statutory requirements, are accorded special legal status and are termed “qualified.”

Therefore, a qualified electronic signature, backed by a qualified signature certificate, offers a notably high level of legal security in business processes in which legal actions (declarations of intent) are conducted in electronic form.

It is common for the terms qualified certificate and qualified signature to be used interchangeably, serving as a convenient communication shortcut. However, a lack of understanding regarding the fundamental difference between these terms can lead to misunderstandings.

A qualified signature is authenticated through a qualified certificate, facilitating the confirmation of the identity of the person affixing an electronic signature to e-documents and confirming document integrity post-signing.

What is a qualified electronic signature?

A qualified signature is based on a qualified certificate, which contains information identifying its owner and the data (public key) used to verify the electronic signature. To create an electronic signature, data (a private key, for instance, stored on a physical or virtual SimplySign card) is used, and the signer maintains exclusive control over it by safeguarding access to the card and its password.

Prior to the issuance of a qualified certificate, a stringent process is carried out to verify the identity of the applicant, and it is confirmed that the person has exclusive control over the private key (used for signature creation), which forms a pair with the public key (used for signature verification). The public key is included in the certificate along with the user’s identity.

A qualified electronic signature based on this certificate holds a legal presumption of its authenticity and can be employed in any situation enjoying statutory equivalence with a handwritten signature. On the other hand, an electronic document bearing a qualified electronic signature satisfies the Code’s requirement of electronic form equivalent to written form.

A positively verified qualified signature provides confidence to the recipient of the document (statement of intent) that the signature corresponds to the unaltered content of the document and that the document was signed by the person indicated in the qualified certificate that was used for signature verification.

How is an electronic signature created and verified?

A qualified certificate is a component of public key technology (PKI), which is based on a pair of keys: private and public. The private key is securely stored by the certificate owner, while the public key (usually contained in a certificate) is made available to the public. Communication between parties using these keys enables the confirmation of the signer’s identity and ensures the verification of the integrity of the transmitted data (documents).

At the moment of expressing intent through the signing of the content of an electronic document, an electronic signature, particularly a qualified signature, is generated using advanced mathematical algorithms. These algorithms create a unique computer structure associated with the content of the signed document by calculating the document’s hash. The hash is then encrypted (ciphertext – asymmetric cryptography) using a private key, which is under the control of the signer.

When a signed document is checked (accepted), a signature verification process is initiated. In this process, the hash is decrypted (recovered from the ciphertext) using the public key contained in the certificate. Subsequently, it is compared with the hash calculated during the verification process from the contents of the document subject to acceptance. A positive result is only possible if the public key in the certificate is associated (constitutes a pair) with the private key used to create the signature. If the result is positive, it means that the content of the document has not been altered since the signature was affixed, and the person indicated in the certificate had exclusive control over the private key when signing the document.

How can I obtain a qualified electronic signature certificate for document signing?

Qualified electronic signature certificates are issued by certification centers supervised by the Minister of Information Technology. These centers are subject to strict regulations, which are verified during periodic audits. Certum is one such center offering services like the SimplySign mobile signature and a certificate stored on a cryptographic card.

The process of obtaining a qualified electronic signature certificate requires verification of the identity of the person applying for the certificate. For this purpose, it is necessary to present the relevant identity documents and provide other necessary data, which are then scrutinized by the certification authority This ensures that the certificate, and consequently the e-signature based on that certificate, is uniquely linked to the content of the signed document and to a specific user. Therefore, a certificate can be bought, while a signature cannot! You can buy only a device (such as a card) for signing or a service (such as SimplySign virtual card). A signature, on the other hand, can only be made in connection with a specific document and only by the person for whom the certificate was issued. A qualified certificate is used in the context of electronic signature (e-signature), but it is not used to affix a signature, only to verify it.

Qualified certificate applications

Qualified certificates are widely used in various areas of the digital world, serving as a fundamental tool for generating qualified electronic signatures that hold equivalent legal validity to handwritten signatures. They enable secure banking transactions, protecting both customers and financial institutions from fraud. Moreover, these certificates find applications in public administration, facilitating secure communication between citizens and government offices.

A qualified certificate also guarantees that documents remain unaltered after being signed. Cryptographic mechanisms are in place to detect any attempt at modifying a signed document, ensuring that the recipient can trust that the content aligns precisely with what the sender has approved.

A qualified certificate is a key tool in ensuring the security of legal transactions, particularly in the face of escalating cyber threats.

It contains information identifying its owner, allowing recipients of digitally signed documents to verify the author’s identity. This confirmation of identity is particularly critical when engaging in digital contracts, signing documents, or submitting tax returns online.

 Legal and regulatory aspects

Electronic signatures constitute a crucial element in the contemporary business landscape, yet their application is contingent upon diverse legal and regulatory considerations. In the European Union (EU), they are governed by EU 910/2014 Regulation (eIDAS). This regulation sets forth uniform standards for electronic transactions and ensures their mutual recognition in member states. As a result, it facilitates cross-border trade and communication between companies, citizens and public administrations. Countries outside the EU have their own regulations, potentially introducing added complexities for international transactions. Companies operating globally need to be aware of these differences and adapt to the regulations of each jurisdiction.

The future of qualified certificates. Evolution and new opportunities

Qualified certificates are the foundation of digital security, and their development and application will evolve alongside technological advancements.

The future of qualified certificates may encompass various directions of new opportunities, primarily including:

• Cryptographic technology development: Progress in the field of cryptographic technology is closely monitored by qualified trust service providers, who proactively introduce new algorithms both in the creation of qualified certificates and in the signatures based on them. This ensures a consistently high level of resistance of signed documents to fraud attempts, particularly through potential attacks leveraging the computational power and specificity of algorithms implemented by quantum computers.
• Integration with new technologies: New technologies and new areas of their application such as artificial intelligence, blockchain and the Internet of Things (IoT), in conjunction with qualified trust services, can enhance the security of these services, not only from a technical standpoint but also from a legal perspective.

A qualified certificate remains essential in the modern digital landscape, offering security, legal credibility, and efficiency in paperless processes. Its role in ensuring the legitimacy and authenticity of digital interactions is crucial, particularly in an era marked by digitization and the increasing significance of online transactions.

Interested? Find out where to buy qualified electronic signatures!

You can buy the electronic signature in three easy ways:

• in the Certum online store – Certum store – electronic signature and SSL certificates,
• through the Certum Hotline at: +48 91 4472 850,
• at Points of Sale https://sklep.certum.pl/mapa-punktow-partnerskich-certum.