Signature keys and certificates for qualified electronic signatures (for natural persons) and regulated electronic seals (for organisational signatures) issued by a recognised certification service provider in accordance with the legal norms set out in the ESigA are cryptographically classified as very secure.
The private signature key can be either stored on a specially certified, locally used chip card or specially secured on a hardware security module (HSM) at the IT service provider (architecture in the Federal Administration) or also in a different architecture at other issuing certification service providers.
The certificate – a data structure signed by the provider and belonging to the pair of keys – which contains the public key (but not the private key) can be made publicly accessible in directories.
Advanced signature keys and certificates issued by recognised providers may also be considered secure if their signature key has a length of 2048 bits or higher and is stored on a local smart card or deposited securely in a hardware security module. But these keys and certificates do not have a legal effect in accordance with the ESigA.
In addition to an authentication and encryption certificate, all employees of the Federal Administration also have an advanced signature certificate (class B) on a smart card. This signature certificate does not fall within the category of certificates governed by the ESigA, however. It is used only internally for statements of intent and for signing emails.
On the other hand, advanced signature keys issued by recognised providers and certificates issued in the form of a software certificate are not considered secure, which means that their private signature key is located in a file together with the certificate and can thus be arbitrarily duplicated.
See also the Swiss Government PKI list of the certificate types provided to federal and cantonal employees for various purposes.