Certificado Digital and your browser: why it breaks and how to fix it

What the Certificado Digital actually is

The Certificado Digital is a digital identity file issued by the FNMT (Fábrica Nacional de Moneda y Timbre), the Spanish national mint. It proves you are who you say you are when dealing with Spanish administration online. It is not an app, not a password, and not a website login. It is a cryptographic file that gets installed into your device, and which your browser presents to government websites when they ask you to identify yourself. For the full picture of what the certificate does and why we recommend it over the alternatives, see our pillar page on the Certificado Digital in Spain.

Because it is a file rather than a login, the certificate behaves differently from the online accounts most people are used to. You cannot simply log in from any device with a username and password. The certificate physically exists in one place (the browser or operating system certificate store of the device where you installed it) and it only works from there unless you deliberately copy it elsewhere. This single fact explains most of the confusion that follows.

Why the browser step trips people up

The process of obtaining a Certificado Digital has two halves that happen at different times, and the browser connects them. First, you request the certificate from the FNMT, which involves generating a request in your browser. Second, after identity verification, you download and install the certificate, and it must go into the same browser on the same device where you made the request. If you request it in one browser and try to download it in another, or on a different computer, it does not work. The cryptographic key generated during the request lives in the first browser, and the certificate is useless without it.

This is the single most common failure. Someone requests the certificate on their laptop in Chrome, then a week later tries to download it on their desktop, or in Firefox, and nothing works. The certificate is tied to the browser and device where the request was generated. The two steps must happen in the same browser on the same machine.

The second common failure is the browser updating or clearing its data between the request and the download, which wipes the pending key. Modern browsers aggressively clear stored data, and a browser update or a privacy cleaning tool can remove the key that links your request to your certificate. The window between requesting and downloading should be kept short, and you should avoid clearing browser data during it.

Which browsers behave and which cause headaches

Browser behaviour with the Certificado Digital has shifted over the years as browsers changed how they handle certificates. The current situation in 2026:

Firefox has historically been the most reliable browser for the request and installation because it uses its own internal certificate store, independent of the operating system. Many guides recommend doing the request and download in Firefox specifically because its certificate handling is predictable and self contained. The certificate goes into the Firefox certificate manager and stays there.

Chrome and Edge use the operating system certificate store on Windows and macOS rather than their own. This can work well, but it also means the certificate is shared with the operating system and other applications, which is convenient in some ways and confusing in others. Chrome dropped some older certificate request mechanisms, so the request step in Chrome has become less reliable than it once was.

Safari on macOS uses the macOS Keychain. It works for using a certificate that is already installed, but the request and installation process is less commonly documented and more prone to quirks. Most people on a Mac do the request in Firefox and then optionally export to the Keychain.

The practical takeaway: do the request and the download in the same browser, and Firefox is the safest choice for that browser because its self contained certificate store avoids the operating system complications. Once the certificate is installed, you can often export it and use it in other browsers, but the initial request and download should happen in one predictable place.

The autofirma complication

Some Spanish government procedures require not just the certificate in your browser but also a separate desktop application called AutoFirma, which handles digital signing of documents. AutoFirma is a Java based application from the Spanish government that runs alongside your browser and signs documents with your certificate. It is a frequent source of frustration because it must be installed separately, it sometimes needs specific Java configurations, and the browser has to be able to communicate with it.

Not every procedure needs AutoFirma. Logging in to check your data, download a certificate of empadronamiento, or file a simple form often works with just the browser certificate. AutoFirma comes in when you need to digitally sign a submission. Knowing which procedures need it saves you installing it before you need to, but when a portal says it needs AutoFirma and the browser certificate alone will not do, that is the moment to install it.

Why you should not rely on Cl@ve instead

Spain offers an alternative authentication system called Cl@ve, which some people reach for because it seems simpler than the certificate. We recommend the Certificado Digital as the primary tool and treat Cl@ve as a secondary option, for a specific reason: Cl@ve Permanente, the more powerful version of Cl@ve, requires a video identity verification step that is not available to non Spanish nationals in the same way it is to Spanish citizens. Many newcomers go down the Cl@ve route, hit the verification wall, and then have to set up the Certificado Digital anyway. Starting with the certificate avoids the detour.

The certificate also does more. It works across essentially every Spanish government portal, it can be exported and backed up, and it does not depend on receiving SMS codes or app notifications that can fail when you are abroad or change your phone number. For someone who intends to handle their own Spanish administration over the long term, the certificate is the more robust foundation.

The one thing people forget: back it up

Because the certificate is a file tied to one browser on one device, losing that device or reinstalling the operating system means losing the certificate, unless you exported a backup copy first. This catches people who set up the certificate, use it happily for a year, then get a new laptop and discover the certificate did not come with them and cannot simply be re downloaded. The FNMT does not keep a copy you can re fetch; if you lose it without a backup, you start the whole request and verification process again.

The moment to export a backup is right after you install the certificate, while everything is working. The export produces a password protected file (in PFX or P12 format) that you store somewhere safe, ideally in more than one place. With that backup, moving to a new device is a quick import. Without it, you repeat the entire FNMT process. We cover the backup and renewal process in its own guide, because it is important enough to deserve separate attention.

Common browser and certificate mistakes

Requesting in one browser, downloading in another

The most common failure. The key generated at request time lives in the requesting browser. Download the certificate in the same browser on the same device where you made the request.

Clearing browser data between request and download

A privacy cleaner, a browser reset, or an aggressive update can wipe the pending key. Keep the window between request and download short and do not clean your browser during it.

Not backing up after installation

The single most expensive mistake long term. Export a backup immediately after installation. A lost device without a backup means starting over from the FNMT request.

Going down the Cl@ve route as a non Spanish national

Cl@ve Permanente video verification is not available to non Spanish nationals the way it is to citizens. Start with the Certificado Digital instead of hitting the Cl@ve wall and having to set up the certificate anyway.