Personal certificates are digital IDs linked to an individual rather than to a domain or server. They follow the X.509 standard and serve as a representation of a user’s identity in digital environments.
These certificates come in two main technical formats:
- Soft Certificates (Type A1): Exportable files (e.g.,
.p12or.pfx) that contain the user’s private key. - Hard Certificates (Type A3): Keys stored on physical devices (tokens, smart cards) or cloud security modules.
Unlike an SSL/TLS certificate, which secures communication between a browser and a server, a personal certificate confirms that User X is who they claim to be and allows them to perform cryptographic actions on their own behalf.
The primary objective of Certificate Manager regarding personal identity is the administration of ICP-Brasil A1 certificates. These digital credentials are essential for legal entities and individuals to execute critical regulatory tasks, including tax fulfillment, invoice generation, and secure access to the gov.br portal.
Centralized management of these A1 certificates addresses several security vulnerabilities: it eliminates direct file handling by end-users, maintains comprehensive audit logs of certificate usage, and facilitates seamless deployment to workstations via Certificate Manager. Nevertheless, this approach does not entirely eliminate risks, as the user may still interact with the certificate data once the installation process is finalized.
By integrating with Segura® Browser, the certificate is not exposed to the user. Instead, the Segura® Browser authenticates the session directly, removing the certificate from the machine at the end of use. This ensures that the user does not have continuous access to the certificate file.
Segura® Browser is our proprietary browser focused on security and optimized web sessions. Although authentication is already available, the tool will be officially released soon. For more information, please contact the Customer Success team.
Functionality
The Certificate Manager provides specific features to manage the lifecycle of these personal certificates, ensuring that employees’ digital identities don’t become a security risk:
- Identification and Authentication: Enables a user to authenticate to critical systems, VPNs, and networks without traditional passwords, using their personal certificate as a strong authentication factor (mTLS).
- Digital Signing: Ensures the integrity of documents (PDFs, contracts, emails). The Certificate Manager tracks which certificate was issued to which user and its validity period.
- Email Encryption (S/MIME): Serves as the foundation for S/MIME protocol, allowing users to send encrypted emails that only the correct recipient can read, and signed to guarantee content has not been altered.
- Custody Management: The Certificate Manager securely stores backup copies of personal A1 certificates, allowing recovery of identity in case the original device is lost.
Applicability
Personal certificate management applies in scenarios where the individual’s identity is central:
- Secure Executive Communications: Protection of high-level communications through S/MIME encryption, managing certificates to ensure that strategic company communications remain confidential.
- Secure Remote Work (Zero Trust): Implementation of zero-trust architectures where each employee device holds a personal certificate managed by the Certificate Manager to validate access to internal networks.
- Compliance (LGPD/GDPR): Meeting data protection requirements, ensuring that only individuals properly identified by personal certificates have access to databases containing sensitive information.