Certificado Digital backup and renewal: do not lose your access

The certificate expires, and most people do not realise

A Certificado Digital from the FNMT (Fábrica Nacional de Moneda y Timbre) is not valid forever. It has a fixed validity period, currently several years from issue, after which it stops working. The exact term has changed over the years and depends on the certificate type, so check the validity date on your own certificate rather than assuming. The point is that there is an expiry date, and when it arrives, your access to the Agencia Tributaria, the Seguridad Social, and every other portal stops until you renew. For the broader context of what the certificate does, see our pillar page on the Certificado Digital in Spain.

The problem is that nothing loudly warns you. There is no monthly bill, no app notification, no letter in most cases. The certificate simply stops working one day, often at the worst possible moment, such as when you are trying to file a quarterly tax return or respond to a deadline from the administration. People discover the expiry precisely when they urgently need the certificate, which is the most stressful time to deal with it.

Renewing before expiry is easy; renewing after is not

There is a crucial distinction between renewing before the certificate expires and renewing after.

If you renew while your current certificate is still valid, the process is almost entirely online. You use your existing, still working certificate to authenticate the renewal request with the FNMT, and a new certificate is issued without you having to go anywhere. No office visit, no cita previa, no repeating the in person identity check. This is the easy path, and it is only available during a window before expiry.

If you let the certificate expire first, that easy online path closes. An expired certificate cannot authenticate its own renewal, so you fall back to the full initial process: requesting a fresh certificate and proving your identity in person at an authorised office, with the cita previa wait that involves. The difference between renewing a month early and renewing a month late is the difference between a few minutes online and a repeat of the entire original ordeal.

The renewal window typically opens a couple of months before expiry. The practical advice is simple: the moment you think of it, check your expiry date, and if it is within a few months, renew now while the easy path is open. There is no penalty for renewing early, and it resets your validity period.

Why the backup is the most important thing you will do

The certificate is a file. It lives in the certificate store of one browser on one device. If that device is lost, stolen, broken, or wiped, and you did not export a backup, the certificate is gone. The FNMT does not keep a downloadable copy for you to re fetch. A lost certificate without a backup means starting the entire request and identity verification process from scratch, exactly as if you had never had one.

This is the disaster that catches people who did everything else right. They obtained the certificate, used it happily, renewed it on time even, and then their laptop died or they upgraded to a new machine, and the certificate did not transfer because they never made a backup. Months of smooth self service collapse into a fresh trip to an office.

The backup is an export of the certificate into a single password protected file, in PFX or P12 format. This file contains both your certificate and its private key, which is why it is password protected and why you must keep it secure. With this file, restoring your certificate on a new device, or installing it on a second device, is a quick import. Without it, you are at the mercy of the full FNMT process.

When and where to make the backup

The right moment to export the backup is immediately after you install the certificate, while it is freshly working and you have time. Do not wait until you need it; by then the device may already be the problem. Export it the same day you install it.

Where to keep the backup matters because the file is sensitive. It is effectively your digital identity for Spanish administration in a single file, protected only by the password you set. Store it somewhere secure and ideally in more than one place: an encrypted drive, a password manager's secure file storage, a secure cloud location that you control. Do not email it to yourself in plain form or leave it on a shared computer. Choose a strong password for the export and store that password separately from the file, the way you would treat any other credential.

The link between backup, renewal, and multiple devices

These three things are connected. The backup file is also what lets you use the certificate on more than one device: you import the same PFX or P12 onto your laptop, your desktop, and your phone, and they all carry the same identity. And when you renew, you produce a new certificate that you should back up afresh, because the old backup corresponds to the old, now expired certificate.

So the lifecycle looks like this in concept: install the certificate, export a backup immediately, import that backup onto any other devices you use, and keep the backup safe. When the renewal window opens, renew online with the still valid certificate, then export a fresh backup of the new certificate and update it on your other devices. Done this way, you never face the office again. Done carelessly, you face it every time something goes wrong.

Common backup and renewal mistakes

Never making a backup at all

The most expensive mistake. Everything works until the device fails, and then there is nothing to restore. Export the backup the day you install the certificate.

Letting the certificate expire before renewing

Renewing before expiry is a quick online task using the still valid certificate. Renewing after expiry means the full in person process again. Check your expiry date and renew within the window.

Backing up but losing the password

The PFX or P12 file is useless without its password. People export a backup, set a password they do not record, and then cannot open the backup when they need it. Store the export password as carefully as the file itself.

Storing the backup carelessly

The backup file is your digital identity. Leaving it on a shared computer, an unencrypted USB stick that gets lost, or an unsecured cloud folder is a real risk. Treat it like a passport, not like a holiday photo.

Forgetting to update the backup after renewal

After you renew, the new certificate needs its own backup. The old backup corresponds to the expired certificate. Export a fresh backup each time you renew.