Digital certificates in Brazil

In Brazil, any pessoa física (person) or pessoa jurídica (legal entity, e.g. company) can get a digital certificate (and accompanying private key) that proves their identity.

This lets you:

Who manages them?

Infra-Estrutura de Chaves Públicas Brasileira - ICP-Brasil. This seems to be part of the Instituto Nacional de Tecnologia da Informação.

They act as a CA. Their root certificates are available on, and don’t seem to come with macOS. (Some of their own websites, e.g., use SSL certs with these roots, which I found interesting.)

You don’t purchase your certificate directly from them, but rather from one of many sub-CAs (some private, some public sector).

The certificates come in different levels (A1, A3, …), with different validity periods, capabilities, and storage requirements (e.g. A1 is a file on your computer whereas A3 is only provided on a smart card or USB token or “in the cloud” which I need to figure out the meaning of).

How to get one?

Pick a CA and go through the application process. You’ll probably need to go a real-life place with (Brazilian) government-issued ID to prove your identity. They’ll also take fingerprints and a photo (for reasons I don’t yet understand). I did mine through Prodesp and was able to book an appointment for the next day in a Poupatempo office. (Poupatempo being, I think, a state-run place to go and do various bureaucracy things — I went to the one in Lapa and found it to be a surprisingly pleasant place to spend time, it’s colourful and bright and airy.)

Generating a certificate from Prodesp on macOS

I chose Prodesp (formerly Imprensa Oficial de São Paulo) because they seemed to be the cheapest option (R$100 for an A1 certificate). However, they do not officially support macOS. This is because they don’t vend a macOS version of the SafeSign IC software they they use for the emission of the certificate (even though the vendor supports macOS). And the software isn’t generic, it’s tied to a particular CA. I don’t know exactly what this software does, but presumably it generates a private key and a certificate signing request.

I used one of Microsoft’s free Windows virtual machines to generate the cert (VirtualBox is a free virtual machine, which I used.)

At the end of the certificate generation process, SafeSign asks if you want to export the certificate and private key as a p12 file. You can then export this from the virtual machine (using Shared Folders in VirtualBox, for example) and import it using Keychain Utility on the Mac. You can then throw the virtual machine away.

Renewing a certificate from Prodesp

My certificate expired after a year and I needed a new one. Prodesp offers renewal for less than the price of a new certificate.

The important thing to note is that you have to do the whole renewal process before the original certificate expires.

You need to have the original certificate still installed on your machine (which meant getting into into a Windows VM). To view installed certificates in Windows, run certmgr.msc.

Since writing the last set of instructions, I’ve got an Apple Silicon Mac — for which VirtualBox is not available – and have switched to using VMWare Fusion. It’s quite basic, no drag and drop etc. For transferring files to and from the VM, I followed these instructions to set up an SCP server (need to run net start sshd in an admin PowerShell console to start the service, since I couldn’t find the GUI it talks about). Then connect to it using the VM’s IP, which you get from ipconfig.

Then I was able to connect to it with Cyberduck over SFTP.

What does the cert look like?

I need to look in more detail. Looks like an X.509 cert. The Common Name is in the format “[my name]:[my CPF number]”. On first glance, doesn’t seem to contain any additional information about me.

Digital signatures from GOV.BR

There seems to be another type of digital signature (see Assinatura Eletrônica do, which allows you to sign documents using your identity. According to the linked page, these are also legally valid. I tried downloading my cert from them, and it appears they use their own root certs, separate from those of ICP-Brasil. One to investigate more. It seems to me that the simplest way to elevate your account to a level that allows you to sign documents is to authenticate the account using an ICP-Brasil-issued cert, which to me seems to somewhat defeat the point, but I’m probably missing something.

How to sign a document?