If you manage payroll or administer a company in Mexico, you’ve likely had to use the IDSE (IMSS Desde Su Empresa) portal to submit employee enrollment changes. One of the most common problems is encountering errors like “Cannot establish secure connection”, “Invalid certificate”, or “Error loading .cer/.key certificate” when trying to log in with your e.firma. This article explains the causes of these errors and how to fix them step by step.
The Error
When attempting to access the IDSE portal at https://idse.imss.gob.mx using modern browsers like Google Chrome or Microsoft Edge, you will commonly see the following error messages:
- “Cannot establish secure connection” or “ERR_SSL_VERSION_OR_CIPHER_MISMATCH” — The browser rejects the connection to the IMSS server.
- “Invalid certificate” — The browser does not recognize the IDSE portal’s SSL certificate.
- “Error loading certificate” — The system cannot read your e.firma .cer or .key files.
- “Java plugin is not installed” or “Plugin blocked” — The browser blocks the Java execution needed for electronic signing.
These errors appear mainly when trying to authenticate with your e.firma (formerly known as FIEL) to perform tasks such as enrollments, terminations, or salary modifications for employees. The problem worsened starting in 2021 when Chrome and Edge permanently removed support for NPAPI plugins that Java required.
Root Cause
The IDSE portal was originally designed to work with Internet Explorer and Java applets, technologies that modern browsers no longer support. The specific causes of each error are:
Secure connection error (SSL/TLS): The IDSE server may require older TLS protocols (1.0 or 1.1) that Chrome and Edge disable by default in recent versions. This prevents the browser from completing the TLS handshake with the server.
Invalid certificate error: The IDSE portal’s SSL certificate may be signed by a certificate authority that the browser does not recognize, or the intermediate certificate is not sent correctly. This triggers a security warning that blocks access.
e.firma loading error: The .cer and .key files require a Java or ActiveX component to be processed by the portal. Without Java enabled, the upload form simply does not work or shows a generic error. It can also happen if:
- The .cer or .key files are corrupted or were copied incorrectly.
- The private key (.key) password is wrong.
- The e.firma certificate has expired (valid for 4 years from issuance).
- The files belong to a different RFC than the registered employer.
| Browser | IDSE Compatibility | Notes |
|---|---|---|
| Internet Explorer 11 | Full (when available) | Native Java support, but discontinued |
| Edge (IE mode) | High | Best current option for IDSE |
| Firefox ESR | Medium | Requires manual Java configuration |
| Chrome | Low | No Java support since 2015 |
| Edge (normal mode) | Low | No Java plugin support |
Step-by-Step Solution
Step 1: Verify your e.firma validity
Before attempting any browser configuration, confirm that your certificate is still valid:
- Go to
https://www.sat.gob.mxand navigate to the e.firma section. - Check the expiration date of your certificate. The e.firma is valid for 4 years.
- If your certificate has expired, you’ll need to renew it at a SAT office before you can use it on IDSE.
For a quick check, you can open your .cer file with the Windows certificate viewer by double-clicking it and reviewing the date under “Valid to.”
Step 2: Configure Microsoft Edge in Internet Explorer mode
This is currently the most reliable solution, as Edge includes an Internet Explorer compatibility mode:
- Open Microsoft Edge and go to
edge://settings/defaultBrowser. - Under “Allow sites to be reloaded in Internet Explorer mode”, select “Allow”.
- Click “Add” in the IE mode pages section and add:
https://idse.imss.gob.mxhttps://certificados.imss.gob.mx
- Restart Edge for the changes to take effect.
- Navigate to
https://idse.imss.gob.mx— it should automatically open in IE mode (you’ll see an IE icon in the address bar).
Step 3: Install and configure Java JRE 8
The IDSE portal requires Java to process e.firma certificates:
- Download Java JRE 8 (not newer versions) from
https://www.java.com/en/download/. - Install Java with default options.
- Open the Java Control Panel (search for “Configure Java” in the Start menu).
- Go to the Security tab:
- Make sure “Enable Java content in the browser” is checked.
- Set the security level to High (do not use Medium).
- Click “Edit Site List” and add:
https://idse.imss.gob.mx
- In the Advanced tab, make sure TLS 1.0 and TLS 1.2 are enabled.
Step 4: Enable TLS 1.0 and 1.1 in Internet Options
If you receive the “Cannot establish secure connection” error:
- Open Internet Options from the Windows Control Panel.
- Go to the Advanced tab.
- In the Security section, find and check:
- ☑ Use TLS 1.0
- ☑ Use TLS 1.1
- ☑ Use TLS 1.2
- Click Apply and OK.
- Restart Edge and try accessing IDSE again.
Security note: Enabling TLS 1.0 and 1.1 reduces your browser’s security. It is recommended to disable them again after completing your IDSE tasks.
Step 5: Load your e.firma certificate
Once inside the IDSE portal with the browser properly configured:
- Select the e.firma login option.
- Click “Select file” for your certificate (.cer).
- Browse to your .cer file location and select it.
- Click “Select file” for your private key (.key).
- Enter your private key password — be careful with uppercase letters and special characters.
- Click “Submit” to authenticate.
If the system does not show the upload buttons or displays a gray box, it means Java is not loading correctly. Go back to Step 3 and verify the configuration.
Step 6: Clear cache if errors persist
If after all configuration you still have problems:
- In Edge, press
Ctrl + Shift + Deleteand clear all browsing data. - In the Java Control Panel, go to General > Temporary Internet Files > Settings > Delete Files.
- Close all browser windows and reopen.
- Try accessing
https://idse.imss.gob.mxagain.
Alternative Solution
If Edge IE mode does not work correctly or you have a Windows version that does not support it, try Firefox ESR (Extended Support Release):
- Download Firefox ESR from
https://www.mozilla.org/en-US/firefox/enterprise/. - Install Firefox ESR and Java JRE 8.
- In Firefox, type
about:configin the address bar. - Search for
security.tls.version.minand change the value to 1 (to enable TLS 1.0). - Search for
plugin.load_flash_onlyand set to false. - Restart Firefox and access IDSE.
Another alternative is to use a virtual machine with Windows 7 and Internet Explorer 11, although this option is more complex and only recommended as a last resort. You can also consider doing your paperwork in person at the IMSS subdelegation if problems persist.
Prevention
To avoid these recurring problems with IDSE:
- Maintain a dedicated browser: Configure Edge in IE mode or Firefox ESR exclusively for IMSS and SAT sites. Don’t use it for general browsing.
- Don’t update Java unnecessarily: If Java JRE 8 works with IDSE, don’t update to a newer version that could break compatibility.
- Back up your e.firma files: Keep copies of your .cer and .key files on an encrypted USB drive and in the cloud. If they get corrupted, you’ll need to visit SAT to generate new ones.
- Renew your e.firma before it expires: You can renew it online up to 1 year before expiration. If it has already expired, you must go to SAT in person.
- Document your configuration: Write down the configuration steps that worked for you for future reference or for setting up other company computers.
- Check the IMSS calendar: IDSE has scheduled maintenance windows when the portal is unavailable. Check the calendar on the IMSS site before assuming it’s a problem with your computer.
Related Issues
“Java applet error when signing movements”: This error appears when you’ve already logged into IDSE but the signing applet doesn’t load. The solution is identical: verify Java JRE 8 and security exceptions.
“Digital certificate does not match employer registration”: This error is not browser-related but data-related. Verify that the RFC on your e.firma certificate matches the employer registered with IMSS.
“Timeout” or very slow portal: The IDSE server has high demand near submission deadlines (first 5 business days of the month). Try accessing during off-peak hours.
“Error accesscontrol access denied read”: If Java blocks file reading, you need to edit the java.policy file to add read permissions. See our dedicated article about this specific error.
Summary
- The IDSE IMSS portal has compatibility issues with modern browsers because it was designed for Internet Explorer and Java.
- “Cannot establish secure connection” errors are fixed by enabling TLS 1.0/1.1 in Internet Options.
- The best current solution is to use Microsoft Edge in Internet Explorer mode with Java JRE 8 configured.
- Your e.firma .cer and .key files must be current and not corrupted for the portal to accept them.
- Always revert security changes (TLS 1.0/1.1) after completing your IDSE tasks.
- Firefox ESR or a virtual machine with IE 11 are viable alternatives if Edge IE mode doesn’t work.
- Keep backups of your e.firma and renew it in advance to avoid emergencies.