Digital certificates in Brazil

In Brazil, any pessoa física (person) or pessoa jurídica (legal entity, e.g. company) can get a digital certificate (and accompanying private key) that proves their identity.

This lets you:

Who manages them?

Infra-Estrutura de Chaves Públicas Brasileira - ICP-Brasil. This seems to be part of the Instituto Nacional de Tecnologia da Informação.

They act as a CA. Their root certificates are available on gov.br, and don’t seem to come with macOS. (Some of their own websites, e.g. https://estrutura.iti.gov.br, use SSL certs with these roots, which I found interesting.)

You don’t purchase your certificate directly from them, but rather from one of many sub-CAs (some private, some public sector).

The certificates come in different levels (A1, A3, …), with different validity periods, capabilities, and storage requirements (e.g. A1 is a file on your computer whereas A3 is only provided on a smart card or USB token or “in the cloud” which I need to figure out the meaning of).

How to get one?

Pick a CA and go through the application process. You’ll probably need to go a real-life place with (Brazilian) government-issued ID to prove your identity. They’ll also take fingerprints and a photo (for reasons I don’t yet understand). I did mine through Prodesp and was able to book an appointment for the next day in a Poupatempo office. (Poupatempo being, I think, a state-run place to go and do various bureaucracy things — I went to the one in Lapa and found it to be a surprisingly pleasant place to spend time, it’s colourful and bright and airy.)

Generating a certificate from Prodesp on macOS

I chose Prodesp (formerly Imprensa Oficial de São Paulo) because they seemed to be the cheapest option (R$100 for an A1 certificate). However, they do not officially support macOS. This is because they don’t vend a macOS version of the SafeSign IC software they they use for the emission of the certificate (even though the vendor supports macOS). And the software isn’t generic, it’s tied to a particular CA. I don’t know exactly what this software does, but presumably it generates a private key and a certificate signing request.

I used one of Microsoft’s free Windows virtual machines to generate the cert (VirtualBox is a free virtual machine, which I used.)

At the end of the certificate generation process, SafeSign asks if you want to export the certificate and private key as a p12 file. You can then export this from the virtual machine (using Shared Folders in VirtualBox, for example) and import it using Keychain Utility on the Mac. You can then throw the virtual machine away.

Renewing a certificate from Prodesp

My certificate expired after a year and I needed a new one. Prodesp offers renewal for less than the price of a new certificate.

The important thing to note is that you have to do the whole renewal process before the original certificate expires.

You need to have the original certificate still installed on your machine (which meant getting into into a Windows VM). To view installed certificates in Windows, run certmgr.msc.

Since writing the last set of instructions, I’ve got an Apple Silicon Mac — for which VirtualBox is not available – and have switched to using VMWare Fusion. It’s quite basic, no drag and drop etc. For transferring files to and from the VM, I followed these instructions to set up an SCP server (need to run net start sshd in an admin PowerShell console to start the service, since I couldn’t find the GUI it talks about). Then connect to it using the VM’s IP, which you get from ipconfig.

Then I was able to connect to it with Cyberduck over SFTP.

What does the cert look like?

I need to look in more detail. Looks like an X.509 cert. The Common Name is in the format “[my name]:[my CPF number]”. On first glance, doesn’t seem to contain any additional information about me.

Digital signatures from GOV.BR

There seems to be another type of digital signature (see Assinatura Eletrônica do gov.br), which allows you to sign documents using your gov.br identity. According to the linked page, these are also legally valid. I tried downloading my cert from them, and it appears they use their own root certs, separate from those of ICP-Brasil. One to investigate more. It seems to me that the simplest way to elevate your gov.br account to a level that allows you to sign documents is to authenticate the account using an ICP-Brasil-issued cert, which to me seems to somewhat defeat the point, but I’m probably missing something.

How to sign a document?

Assinador SERPRO is quite awful to use. On macOS, you’re lucky to get one usage out of it before it starts crashing on launch and needs to be reinstalled. On Windows it doesn’t support high-DPI so you need to set your VM to be all ugly. And then once inside, the UI is quite unpleasant.

I’d like to understand how to reproduce its “arquivos seguros” functionality (which generates .cry files). I don’t know if this is a standard format or not. It would be nice to be able to reproduce it from the command line so that I can send stuff to my accountant without having to use that horrible app. But I just found out that the source code for the signing part of the app is at https://github.com/demoiselle/signer. Take a look at that (and the standards it references) and see what I can find out.

That GitHub repo refers to DOC-ICP-15.03. The “.03” looks like a version; it isn’t. It means it’s one of a bunch of documents whose name starts with “DOC-ICP-15”, being I guess in some way related to each other. Trying to find out what was the latest version of a given document led me to typing the document name into the Diário Oficial da União and seeing what was the latest portaria (or whatever you call them) to say there was a revision to it. I somehow stumbled upon this page (“Documentos Principais”) on the site of ITI (Instituto Nacional de Tecnologia da Informação), which has loads of documents and tells you which is the latest one. Whether this page is up to date or abandoned, I don’t know, but its latest version of DOC-ICP-15.03 (8.0 at the time of writing) matches what I could find in law in the Diário Oficial da União.

Not sure what the split of information is between laws and these documents.

And then there’s other stuff you find, like QR codes and https://validar.iti.gov.br and OIDs for vaccinations and GOV.BR signatures and stuff — no idea if those are separate things from these ITI documents or not.