TL;DR — Quick Summary

IDSE IMSS expired e.firma renewal error: check SAT validity, download new .cer/.key files, configure Edge IE mode and Java JRE 8 before signing movements.

When your e.firma (Advanced Electronic Signature) is no longer valid, the IMSS IDSE portal blocks access with messages like “Certificate not valid”, “Error validating electronic signature” or “Cannot establish secure connection” while trying to renew credentials or submit affiliate movements.

e.firma renewal flow diagram for IDSE

The Error

Common messages when using an expired or misconfigured e.firma in IDSE:

  • “Digital certificate is not valid” — SAT already marked the e.firma as expired.
  • “Error loading .cer/.key certificate” — corrupt files, wrong password or revoked certificate.
  • “Certificate RFC does not match employer registry” — wrong legal entity or person certificate.
  • “Cannot establish secure connection” — TLS/Java issue combined with expired certificate.
  • “Timeout while signing” — Java applet fails after loading an invalid certificate.

Root Cause

e.firma is valid for four years from SAT issuance. After that date IMSS cannot validate the trust chain and rejects authentication even if .cer and .key files remain on your USB.

Other frequent causes mixed with validity errors:

  1. Incomplete renewal — new e.firma generated at SAT but old files still loaded in IDSE.
  2. Prior revocation — lost private key revocation invalidates old files before expiration date.
  3. Wrong RFC — certificate belongs to a representative not registered with IMSS for that employer.
  4. Incompatible browser — Chrome and normal Edge do not run Java; without IE mode IDSE cannot read the new e.firma.
  5. System clock skew — incorrect Windows date marks valid certificates as expired.

Step-by-Step Solution

Step 1: Verify validity at SAT

  1. Log in to https://www.sat.gob.mx with a still-valid e.firma (another officer if yours expired).
  2. Open RFC procedures → Certifica tu RFC → Certificate inquiry.
  3. Confirm the expiration date of the certificate used in IDSE.

Double-click the .cer file in Windows and check Valid until. If the date passed, IDSE will always reject that file pair.

Step 2: Renew or request new e.firma

If not yet expired (early renewal):

  1. Select Renew e.firma on the SAT portal.
  2. Generate the request, download .cer, .key and record the private key password.
  3. Store encrypted copies on USB and in a corporate vault.

If already expired:

  1. Visit a SAT module with official ID.
  2. Revoke the expired certificate and request a new issuance.
  3. Do not try to repair expired files; you always need a new SAT-issued pair.

Step 3: Prepare the workstation for IDSE

IDSE still depends on Java and Internet Explorer mode:

  1. In Edge go to edge://settings/defaultBrowser and allow IE mode reload.
  2. Add https://idse.imss.gob.mx and https://certificados.imss.gob.mx.
  3. Install Java JRE 8 (not version 11+).
  4. Java Control Panel → Security → Edit Site List, add https://idse.imss.gob.mx.
  5. If SSL errors appear, temporarily enable TLS 1.0, 1.1 and 1.2 in Internet Options → Advanced.

Step 4: Load renewed e.firma

  1. Open IDSE in Edge IE mode.
  2. Choose e.firma login.
  3. Select the new .cer file (not the expired backup).
  4. Select matching .key and enter the exact password.
  5. Complete captcha and submit.

If loading succeeds you will see the main panel with your employer registry.

Step 5: Validate with a test transaction

Before bulk movements:

  1. Query pending movements summary or a controlled test registration.
  2. Sign a simple movement and download the PDF receipt.
  3. Confirm digital seal and correct date on the receipt.

Alternative Solution

If you cannot renew e.firma in time:

  • Alternate legal representative with valid e.firma registered with IMSS can sign movements.
  • IMSS branch office — paper submission with employer documentation (deadlines vary by region).
  • Dedicated VM — Windows with IE11 or Edge IE mode only for IMSS/SAT avoids corporate security conflicts.

Prevention

  • Renewal calendar: alert 90 and 30 days before each responsible e.firma expires.
  • Certificate inventory: document RFC, holder, expiration and backup locations.
  • Dedicated machine: PC or VM with Java JRE 8 and Edge IE mode exclusively for IDSE.
  • Monthly test: on day 20 each month try IDSE login before movement deadlines.
  • Revoke immediately if private key is lost.

accesscontrol access denied read: Java cannot read .key from USB or network share. Copy files to local disk C:\Temp\efirma\ and retry.

Valid certificate but slow IDSE: high demand on first five business days of the month. Access between 8 PM and 6 AM Mexico City time.

Confused CSD with e.firma: CSD for CFDI invoicing is different from e.firma for IDSE. Do not swap files between procedures.

Summary

  • IDSE rejects expired, revoked or wrong-RFC e.firma; standard validity is four years.
  • Renew at SAT, download new .cer/.key and load in Edge IE mode with Java JRE 8.
  • Verify RFC matches employer registry before submitting movements.
  • Schedule renewal 90 days ahead and test access monthly.