cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Digital Invoice Mexico: Import Production Certificates

Former Member

on ‎07-31-2009 6:03 PM

0 Kudos

Hi,

I am trying to import certificate for Digital Invoice Mexico on our production system. I received the key and certificate from our Mexico Supply Chain Manager (filenames are 00001000000100782918TEXTILE.cer and him9409125m0_0907211449s.key).

After that, I followed note 1300880 and executed the following commands:

openssl pkcs8 -inform DER -in him9409125m0_0907211449s.key -passin pass:### -outform PEM -out CSD_01.key.pem -passout pass:###

openssl x509 -inform DER -in 00001000000100782918TEXTILE.cer -outform PEM -out CSD_01.cer.pem

I now have to add the ACx and ARCx root certificates. I downloaded files AC2-Sat.crt from http://www.banxico.org.mx/sistemasdepago/ies/iespub/ies_acs.html and exported that crt file as a .cer file. I that executed command openssl x509 -in AC2-Sat.cer -outform PEM -out AC2-Sat.cer.pem.

Now I have to chain my certificates, and from here, the note gets confusing.

I first tried the following:

copy CSD_01.key.pem+CSD_01.cer.pem CSD_01_chain.pem

openssl pkcs12 -in CSD_01_chain.pem -passin pass:### -export -out CSD_01.p12 -name SAT -passout pass:###

sapgenpse import_p12 -p CSD_01.pse -x ### -z ### CSD_01.p12

But this gave error:

ERROR: Incomplete certification path -- NEED certificate of "unstructuredName=Responsable: Fernando Martínez Coss, L=Cuauhtemoc, SP=Distrito Federal, C=MX, postalCode=06300, ST="Av. Hidalgo 77, Col. Guerrero", EMAIL=###, O=Servicio de Administración Tributaria, CN=A.C. del Servicio de Administración Tri"!

So I tried again, but now used the following command to create the CSD_01_chain.pem:

copy CSD_01.key.pemCSD_01.cer.pemAC2-Sat.cer.pem CSD_01_chain.pem

I than made a p12 file out of this CDS_01_chain.pem and importing this file now gives an other error:

ERROR: Incomplete certification path -- NEED certificate of "OU=Infraestructura Extendida de Seguridad, CN=Agencia Registradora Central, C=MX, O=Banco de Mexico"!

How do I get rid of this error? How do I need to create the CSD_01_chain.pem? Which files do I need for that?

Regards,

Kevin

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (8)

Answers (8)

Former Member
‎07-06-2016 8:34 PM
0 Kudos

Estimados

SOLUCIONADO

ERROR: Incomplete certification path -- NEED certificate of "OU=Infraestructura Extendida de Seguridad, CN=Agencia Registradora Central, C=MX, O=Banco de Mexico"!

En mi caso realice todos los pasos que vienen en SAP y me marcaba el mismo error, la causa era que además de descargar los archivos de SAT en la pagina de Banxico se tienen que descargar todos los archivos que encuentres con AC-Sat

http://www.banxico.org.mx/sistemas-de-pago/servicios/firma-electronica/certificados-de-la-ies/certif...

Nota: 1300880

Envio mis pasos.

Generar de KEY a PEM
openssl pkcs8 -inform DER Key.key -passin pass:T9J3W7N5 -outform PEM -out KEY.pem -passout pass:(Pass)

Generar de CER a PEM
openssl x509 -inform DER -in Cer.cer -trustout -outform PEM -out Cer.pem
openssl x509 -inform DER -in AC_SAT1059.cer -trustout -outform PEM -out AC_SAT1059.pem
openssl x509 -inform DER -in AC3_SAT.cer -trustout -outform PEM -out AC3_SAT.pem
openssl x509 -inform DER -in ACsat.cer -trustout -outform PEM -out ACsat.pem
openssl x509 -inform DER -in AR_SAT.cer -trustout -outform PEM -out AR_SAT.pem
openssl x509 -inform DER -in ARC1_IES.cer -trustout -outform PEM -out ARC1_IES.pem
openssl x509 -inform DER -in ARC2_IES.crt -trustout -outform PEM -out ARC2_IES.pem
openssl x509 -inform DER -in AC-Sat1070.cer -trustout -outform PEM -out AC-Sat1070.pem
openssl x509 -inform DER -in AC-Sat.cer -trustout -outform PEM -out AC-Sat.pem

Comprimir en un PEM
copy KEY.pem+CER.pem+AC_SAT1059.pem+AC3_SAT.pem+ACsat.pem+AR_SAT.pem+ARC1_IES.pem+ARC2_IES.pem+AC-Sat1070.pem+AC-Sat.pem ConcatenadoPEM.pem

rem convert pem file to pkcs12

Generar de PEM a P12
openssl pkcs12 -in ConcatenadoPEM.pem -passin pass:(Pass) -export -out archivop12.p12 -name SAT -passout pass:(Pass)

Generar de P12 a PSE
sapgenpse import_p12 -p archivoPSE.pse -x (Pass) -z (Pass) archivop12.p12

Generar Credenciales
sapgenpse seclogin -p SAPMXDI_XXXXMX_(IDIPP).pse -x (Pass) -O SapServiceIPP

Show replies
Show replies
martin_chaloupka
Discoverer
‎12-16-2010 3:45 PM
0 Kudos

Hi I am writing to this post, as it seems some could go beyond the step I have a problem with.

I am trying to implement this on our productive system, implementing the test certificates on the test systems worked.

But on the productive system I have a few questions

We received the key and the cer from our mexican company but with no password, should they have gotten it from the authorities?

Than I downloaded the files AC1-Sat.cer, AC2-Sat.cer, AC-Sat1059.cer and AR-SAT.cer from

http://www.banxico.org.mx/sistemas-de-pago/servicios/firma-electronica/certificados-de-la-ies/certif...

Creating the pem Files from all the *.cer worked fine with the command:

openssl x509 -in AC1-Sat.cer -outform PEM -out AC1-Sat.cer.pem etc.

so it seems they updated the files on the site, they are valid till 2012 or even 2018

But I have a problem with one step:

C:\openssl pkcs8 -inform DER -in *.key -passin pass:password -outform PEM -out CSD_01.key.pem -passout pass:password

Where do I get the password for this step?

and after the chain is created (which I cannot do at the moment as the key cannot be converted) for the following step:

openssl pkcs12 -in CSD_01_chain.pem -passin pass:password -export -out CSD_01.p12 -name SAT -passout pass:password

Where do You get the password or is it the same one as for the key?

Martin

Show replies
Show replies
ChristoA
Explorer
‎03-08-2011 2:52 PM
0 Kudos

Hi Martin,

I am facing the same problem as yours now. Can you please let me know from where did you get the password for the key

Thanks

Christo

Former Member
‎05-27-2011 9:05 PM
0 Kudos

Hi.

Here is solution for missing password problem:

I got startup information from this page (used Google Translate): Setting Up a Business in Mexico: What is a FIEL? http://www.mexipreneur.com/?p=31

Password from the CIEC key. It is used to access taxpayer's private portal on Mexican SAT site. It can be used to decrypt the private key.

To get password read next

Advanced Electronic Signature: http://www.sat.gob.mx/sitio_internet/e_sat/tu_firma/default.asp

particularily this:

Electronic Identification Key Confidential CIEC : http://www.sat.gob.mx/sitio_internet/informacion_fiscal/18_3462.html

So there is a password existing. To get is please ask your Mexican SAT contacts.They definitely have a password.

Ref:

[PDF] On the Security of Mexican Digital Fiscal Documents

http://www.ejournal.unam.mx/cys/vol12-01/CYS012000102.pdf

Former Member
‎12-09-2010 5:52 PM
0 Kudos

Hi Myriam,

I have tried the Hint from the OSS note, and still the same message. I am traveling today, but I got the right root certificates.I will update wht the path to certificates tomorrow.

Regards,

Judith

Show replies
Show replies
Former Member
‎12-14-2010 1:57 PM
0 Kudos

Hi,

Still some problem with the production certificates for the mexico digital invoice.

SAT said there is no need to use root certificates but we have an incomplete certification path error message when we don't use the root certificates.

We managed to build the PSE file with using the AC2_SAT and ARC1_IES certificale but now we have an error when executing the function SSF_KRN_SIGN, it returns an SSF return code 205 : unknown error so we don't know what is the problem but when we execute the ZSSF_TEST_PSE program to test the digital signature, we got a signature error SSF error unknown error 205 AND in the Subject (DN) (overview of certificates from PSE), there is nothing which is not normal.

Do someone already create the production certificates can help and confirm what root certificates you use and in which order ?

best regards

Myriam

Former Member
‎12-15-2010 1:41 PM
0 Kudos

Hi,

We found the problem : certificate Name (Subject) was more than 255 characters.

Applies OSS note 1519477 and it corrected our problem.

We use root certificates found in SAT web site : AC2_SAT.cer and ARC1_IES.cer and it seems working.

Can you confirm if you use the same root certificates for production use as SAT is stating these root certificates should be used for testing purpose only and no need of root certificates for production use but without them it is not working.

regards

Myriam.

jesusedmundo_rabelovazque
Discoverer
‎12-15-2010 6:36 PM
0 Kudos

Hi Miryam,

We have a similar problem to generate the certificatios. I'm reading your post, I don't know how can I check if the subject doesn't exced 255 characters.

We have ECC 5.0, Non-Unicode system. By the way you have the SAT link to download the certificates (AC2_SAT.cer and ARC1_IES.cer )?

Kind regards,

Edmundo Rabelo

Former Member
‎11-24-2011 5:55 PM
0 Kudos

Good morning Myriam:

This is Misael from Mexico. I have a problem kind of you had some tima ago. I am making an XML file for the Mexican Invoices, but I can not get the correct Certified of digital signature. We are not using PI, we use the next code:

MYPROFILE = PROFILE.

MYPROFILEPW = PROFILEPW.

CALL FUNCTION 'SSFC_GETCERTIFICATEREQUEST'

EXPORTING

PROFILE = MYPROFILE

PROFILEPW = MYPROFILEPW

IMPORTING

CERTREQUEST_LEN = CERTREQLEN

TABLES

CERTREQUEST = CERTREQ

EXCEPTIONS

SSF_KRN_ERROR = 1

SSF_KRN_NOMEMORY = 2

SSF_KRN_NOSSFLIB = 3

SSF_KRN_INVALID_PAR = 4

SSF_KRN_NOCERTIFICATE = 5

OTHERS = 6.

IF SY-SUBRC NE 0.

RC = 1. RETURN.

ENDIF.

  • remove trailing \0

LASTLINE = CERTREQLEN DIV CERTREQTABLE_LINE_LENGTH + 1.

LASTOFFSET = CERTREQLEN MOD CERTREQTABLE_LINE_LENGTH.

IF LASTOFFSET > 0.

READ TABLE CERTREQ INDEX LASTLINE INTO CERTREQWA.

IF SY-SUBRC NE 0.

RC = 2. RETURN.

ENDIF.

CLEAR: CERTREQWA+LASTOFFSET.

MODIFY CERTREQ FROM CERTREQWA INDEX LASTLINE.

IF SY-SUBRC NE 0.

RC = 2. RETURN.

ENDIF.

ENDIF.

In table CERTREQ we receive the certified but when I verify it with SAT, they send me a Error message.

Did You have the same problem? Did You solve it?

Best regards and happy thanksgiving.

Misael

Former Member
‎11-30-2010 7:52 PM
0 Kudos

Hi,

When I put -inform DER to all Certifcates, including root cerftificates I don't get those errors.

But I don't understand the difference between '-inform DER -in' and just -in. Would it work that for my production system I run those commads for all cerifiticates with -inform DER?

BTW, in my example I have put twice the AC2_SAT cer file by mistake, but that is not the problem.

Thank you,

Judith

Show replies
Show replies
Former Member
‎12-09-2010 3:05 PM
0 Kudos

Hi,

We are also in the step to import the production certifcates and we also have the message "Incomplete certification path".

Do you know which root certificates, we have to use among the ones that the SAT is providing ?

AC0 is expired.

AC1 and AC2 seems to have the same issuer and receiver

ARC0 is from Banxico related to AC0 so i don't think we should use it.

ARC1 seems OK

so we try to use only AC2_SAT and ARC1_IES (ARC to ARC, ARC to SAT and finally ours : SAT to our company) but it is not working.

Do we have to use also AC1 even if it is rather the same as AC2 ?

Thanks for your answer.

Myriam.

Former Member
‎11-30-2010 7:18 PM
0 Kudos

Hi,

I have finsihed the Mexicio Digital Inovice in our TST system, but now to get to Production OSS note 1300880 mentions to use command openssl x509 -in .. instead openssl x509 -inform DER -in for all root cerificates. I have done that, but now I am getting errors.

These are the coomands I am using:

rem convert key from DER to PEM

openssl pkcs8 -inform DER -in password_1011250847S.key -passin pass:password -outform PEM -out CSD_01.key.pem -passout pass:password

rem convert certs from DER to PEM

openssl x509 -inform DER -in 00001000000102241329.cer -outform PEM -out CSD_01.cer.pem

openssl x509 -in AC0_SAT.cer -outform PEM -out AC0_SAT.cer.pem

openssl x509 -in AC2_SAT.cer -outform PEM -out AC2_SAT.cer.pem

openssl x509 -in AC2_SAT.cer -outform PEM -out AC2_SAT.cer.pem

openssl x509 -in ARC0_IES.cer -outform PEM -out ARC0_IES.cer.pem

openssl x509 -in ARC1_IES.cer -outform PEM -out ARC1_IES.cer.pem

rem append cert and key into one file

copy CSD_01.key.pemCSD_01.cer.pemAC0_Sat.cer.pemAC1_Sat.cer.pemAC2_Sat.cer.pemARC0_IES.cer.pemARC1_IES.cer.pem CSD_01_chain.pem

rem convert pem file to pkcs12

openssl pkcs12 -in CSD_01_chain.pem -passin pass:password -export -out CSD_01.p12 -name SAT -passout pass:password

-

But I got the following errors:

C:\openssl pkcs8 -inform DER -in password_1011250847S.key -passin pass:password -outfor

m PEM -out CSD_01.key.pem -passout pass:password

C:\rem convert

certs from DER to PEM

C:\openssl x509

-inform DER -in 00001000000102241329.cer -outform PEM -out CSD_01.cer.pem

C:\openssl x509

-in AC0_SAT.cer -outform PEM -out AC0_SAT.cer.pem

unable to load certificate

7152:error:0906D06C:PEM routines:PEM_read_bio:no start line:.\crypto\pem\pem_lib

.c:650:Expecting: TRUSTED CERTIFICATE

C:\openssl x509

-in AC2_SAT.cer -outform PEM -out AC2_SAT.cer.pem

unable to load certificate

7460:error:0906D06C:PEM routines:PEM_read_bio:no start line:.\crypto\pem\pem_lib

.c:650:Expecting: TRUSTED CERTIFICATE

C:\openssl x509

-in AC2_SAT.cer -outform PEM -out AC2_SAT.cer.pem

unable to load certificate

6508:error:0906D06C:PEM routines:PEM_read_bio:no start line:.\crypto\pem\pem_lib

.c:650:Expecting: TRUSTED CERTIFICATE

C:\openssl x509

-in ARC0_IES.cer -outform PEM -out ARC0_IES.cer.pem

unable to load certificate

4128:error:0906D06C:PEM routines:PEM_read_bio:no start line:.\crypto\pem\pem_lib

.c:650:Expecting: TRUSTED CERTIFICATE

C:\openssl x509

-in ARC1_IES.cer -outform PEM -out ARC1_IES.cer.pem

unable to load certificate

1260:error:0906D06C:PEM routines:PEM_read_bio:no start line:.\crypto\pem\pem_lib

.c:650:Expecting: TRUSTED CERTIFICATE

C:\rem append c

ert and key into one file

C:\copy CSD_01.

key.pemCSD_01.cer.pemAC0_Sat.cer.pemAC1_Sat.cer.pemAC2_Sat.cer.pem+ARC0_IES.

cer.pem+ARC1_IES.cer.pem CSD_01_chain.pem

CSD_01.key.pem

CSD_01.cer.pem

1 file(s) copied.

C:\rem convert

pem file to pkcs12

C:\openssl pkcs12 -in CSD_01_chain.pem -passin pass:password -export -out CSD_01.p12 -name

SAT -passout pass:password

Loading 'screen' into random state - done

-

Did somebody get the same errors? Are my commands right? I would have to remove the it want to be sure that I have to the -inform DER from all certificates, except from the private certificate, right?

How can I solve this problem?

Thank you so much,

Judith

Show replies
Show replies
Former Member
‎12-09-2010 3:23 PM
0 Kudos

Hi, Judy,

have you tried that ?

OSS note 130880

additional hint:

Use command line

x509 -inform DER -in [certificate name] -trustout -outform PEM -out [certificate name].pem when you get error messages during the PEM file creation (trusted certificate needed)

regards

Myriam

Former Member
‎06-10-2010 10:28 PM
0 Kudos

When I run the ZSSF_TEST_PSE, I get the following.

Test signature

Signature ERROR - Unknown signer or recipient

Test encryption

Encryption ERROR - Unknown signer or recipient

I have looked at note:800240 but don't see how to fix this.

Thanks,

Sherry

Edited by: Sherry Samson on Jul 29, 2010 10:37 PM

Show replies
Show replies
Former Member
‎12-17-2010 8:23 PM
0 Kudos

Hi Sherry,

Did you find a way to solve this issue? We are getting the exact same error.

I would really appreciate any help

Regards

Martin

Former Member
‎06-17-2013 4:28 PM
0 Kudos

Hi dear Sherry, do you have the solution to this issue?

I will be very grateful if can you tell us about the solution.

Thanks in advance.

Abraham Soto

abraham.soto@sap.delomejor.com.mx

Former Member
‎10-08-2009 7:34 AM
0 Kudos

Hello Kevin,

While generating digital invoice mexico: import certificate oss note # 1300880, I am getting the error

ERROR: Incomplete certification path -- NEED certificate of "OU=Infraestructura Extendida de Seguridad, CN=Agencia Registradora Central, C=MX, O=Banco de

I get this error is step - sapgenpse import_p12 -p SAPMXDI_12002009_500.pse -x xxx51 -z xxxx51 CSD_01.p12

Please let me know how to resolve this error.

Thanks,

Angelo.

Show replies
Show replies
Former Member
‎10-08-2009 10:35 AM
0 Kudos

The certificate that I downloaded from http://www.banxico.org.mx/sistemasdepago/ies/ies_entrada.html where not correct. I had to open an OSS Message and the import of the certificates worked correcttly after SAP sended me the correct root certificates.

Former Member
‎10-26-2009 5:06 PM
0 Kudos

Hello, I Got the certificates from SAP,

AC0_SAT, AC1_SAT, AC2_SAT, ARC0_IES, ARC1_IES.

but I have a problem because one of them is expired:

AC0_SAT, Validity: 26/10/20040 to 27/10/2008.

C:\SAPGENPSE\ntintel>sapgenpse import_p12 -p CSD_01.pse -x a0123456789 -z a01234

56789 CSD_01.p12

ERROR in import_p12: (9/0x0009) af_verify_Certificates failed

ERROR in af_verify_Certificates: (101/0x0065) forward path CA Certificate expire

d (notbefore=041027050000Z, notafter=081027060000Z, now=091025165700Z)

Subject: unstructuredName=Responsable: Cesar Luis Perales Tellez, EMAIL=asis

net.sat.gob.mx, x500UniqueIdentifier=SAT970701NN3, C=MX, SP=Distrito Federal, L=

Coy

ERROR in af_check_validity_of_Certificate: (101/0x0065) Certificate expired (not

before=041027050000Z, notafter=081027060000Z, now=091025165700Z)

ERROR in af_pse_get_Certificate_static: (4130/0x1022) Can't get certificate beca

use cannot read object : "Cert"

ERROR in sec_read_PSE: (4130/0x1022) object is not in toc : "Cert"

ERROR in sec_read_object_from_toc: (4130/0x1022) object is not in toc : "Cert"

Did you have the same problem?

I will ask to SAP for the correct certificates.

Former Member
‎10-26-2009 10:03 PM
0 Kudos

This is the answer from SAP:

Thank you for the information provided.

We have sent to our customers these files but in case they are not

valid anymore I kindly ask you to access the

govenment portal for Digital Invoices to get a new one.

Please see below:

http://www.sat.gob.mx/sitio_internet/e_sat/comprobantes_fiscales/15_9849.html

And create a message for the government asking for the new valid ones.

Thank you for your cooperation.

Best regards.

I hope could get the correct ones from SAT.

Former Member
‎08-03-2009 6:11 AM
0 Kudos

Problem solved (I opened an OSS message and got the correct root certificate from SAP).

Show replies
Show replies
former_member685168
Discoverer
‎09-04-2009 10:39 PM
0 Kudos

Hello Kevin:

¿Are you finished the configuration to generate the DI in R/3?

We are doing the configuration but we have some problems with the "sellado" process.

Could you share us your experiencies?

Best Regards,

Ask a Question