on 07-31-2009 6:03 PM
Hi,
I am trying to import certificate for Digital Invoice Mexico on our production system. I received the key and certificate from our Mexico Supply Chain Manager (filenames are 00001000000100782918TEXTILE.cer and him9409125m0_0907211449s.key).
After that, I followed note 1300880 and executed the following commands:
openssl pkcs8 -inform DER -in him9409125m0_0907211449s.key -passin pass:### -outform PEM -out CSD_01.key.pem -passout pass:###
openssl x509 -inform DER -in 00001000000100782918TEXTILE.cer -outform PEM -out CSD_01.cer.pem
I now have to add the ACx and ARCx root certificates. I downloaded files AC2-Sat.crt from http://www.banxico.org.mx/sistemasdepago/ies/iespub/ies_acs.html and exported that crt file as a .cer file. I that executed command openssl x509 -in AC2-Sat.cer -outform PEM -out AC2-Sat.cer.pem.
Now I have to chain my certificates, and from here, the note gets confusing.
I first tried the following:
copy CSD_01.key.pem+CSD_01.cer.pem CSD_01_chain.pem
openssl pkcs12 -in CSD_01_chain.pem -passin pass:### -export -out CSD_01.p12 -name SAT -passout pass:###
sapgenpse import_p12 -p CSD_01.pse -x ### -z ### CSD_01.p12
But this gave error:
ERROR: Incomplete certification path -- NEED certificate of "unstructuredName=Responsable: Fernando Martínez Coss, L=Cuauhtemoc, SP=Distrito Federal, C=MX, postalCode=06300, ST="Av. Hidalgo 77, Col. Guerrero", EMAIL=###, O=Servicio de Administración Tributaria, CN=A.C. del Servicio de Administración Tri"!
So I tried again, but now used the following command to create the CSD_01_chain.pem:
copy CSD_01.key.pemCSD_01.cer.pemAC2-Sat.cer.pem CSD_01_chain.pem
I than made a p12 file out of this CDS_01_chain.pem and importing this file now gives an other error:
ERROR: Incomplete certification path -- NEED certificate of "OU=Infraestructura Extendida de Seguridad, CN=Agencia Registradora Central, C=MX, O=Banco de Mexico"!
How do I get rid of this error? How do I need to create the CSD_01_chain.pem? Which files do I need for that?
Regards,
Kevin
Estimados
SOLUCIONADO
ERROR: Incomplete certification path -- NEED certificate of "OU=Infraestructura Extendida de Seguridad, CN=Agencia Registradora Central, C=MX, O=Banco de Mexico"!
En mi caso realice todos los pasos que vienen en SAP y me marcaba el mismo error, la causa era que además de descargar los archivos de SAT en la pagina de Banxico se tienen que descargar todos los archivos que encuentres con AC-Sat
Nota: 1300880
Envio mis pasos.
Generar de KEY a PEM
openssl pkcs8 -inform DER Key.key -passin pass:T9J3W7N5 -outform PEM -out KEY.pem -passout pass:(Pass)
Generar de CER a PEM
openssl x509 -inform DER -in Cer.cer -trustout -outform PEM -out Cer.pem
openssl x509 -inform DER -in AC_SAT1059.cer -trustout -outform PEM -out AC_SAT1059.pem
openssl x509 -inform DER -in AC3_SAT.cer -trustout -outform PEM -out AC3_SAT.pem
openssl x509 -inform DER -in ACsat.cer -trustout -outform PEM -out ACsat.pem
openssl x509 -inform DER -in AR_SAT.cer -trustout -outform PEM -out AR_SAT.pem
openssl x509 -inform DER -in ARC1_IES.cer -trustout -outform PEM -out ARC1_IES.pem
openssl x509 -inform DER -in ARC2_IES.crt -trustout -outform PEM -out ARC2_IES.pem
openssl x509 -inform DER -in AC-Sat1070.cer -trustout -outform PEM -out AC-Sat1070.pem
openssl x509 -inform DER -in AC-Sat.cer -trustout -outform PEM -out AC-Sat.pem
Comprimir en un PEM
copy KEY.pem+CER.pem+AC_SAT1059.pem+AC3_SAT.pem+ACsat.pem+AR_SAT.pem+ARC1_IES.pem+ARC2_IES.pem+AC-Sat1070.pem+AC-Sat.pem ConcatenadoPEM.pem
rem convert pem file to pkcs12
Generar de PEM a P12
openssl pkcs12 -in ConcatenadoPEM.pem -passin pass:(Pass) -export -out archivop12.p12 -name SAT -passout pass:(Pass)
Generar de P12 a PSE
sapgenpse import_p12 -p archivoPSE.pse -x (Pass) -z (Pass) archivop12.p12
Generar Credenciales
sapgenpse seclogin -p SAPMXDI_XXXXMX_(IDIPP).pse -x (Pass) -O SapServiceIPP
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi I am writing to this post, as it seems some could go beyond the step I have a problem with.
I am trying to implement this on our productive system, implementing the test certificates on the test systems worked.
But on the productive system I have a few questions
We received the key and the cer from our mexican company but with no password, should they have gotten it from the authorities?
Than I downloaded the files AC1-Sat.cer, AC2-Sat.cer, AC-Sat1059.cer and AR-SAT.cer from
Creating the pem Files from all the *.cer worked fine with the command:
openssl x509 -in AC1-Sat.cer -outform PEM -out AC1-Sat.cer.pem etc.
so it seems they updated the files on the site, they are valid till 2012 or even 2018
But I have a problem with one step:
C:\openssl pkcs8 -inform DER -in *.key -passin pass:password -outform PEM -out CSD_01.key.pem -passout pass:password
Where do I get the password for this step?
and after the chain is created (which I cannot do at the moment as the key cannot be converted) for the following step:
openssl pkcs12 -in CSD_01_chain.pem -passin pass:password -export -out CSD_01.p12 -name SAT -passout pass:password
Where do You get the password or is it the same one as for the key?
Martin
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi.
Here is solution for missing password problem:
I got startup information from this page (used Google Translate): Setting Up a Business in Mexico: What is a FIEL? http://www.mexipreneur.com/?p=31
Password from the CIEC key. It is used to access taxpayer's private portal on Mexican SAT site. It can be used to decrypt the private key.
To get password read next
Advanced Electronic Signature: http://www.sat.gob.mx/sitio_internet/e_sat/tu_firma/default.asp
particularily this:
Electronic Identification Key Confidential CIEC : http://www.sat.gob.mx/sitio_internet/informacion_fiscal/18_3462.html
So there is a password existing. To get is please ask your Mexican SAT contacts.They definitely have a password.
Ref:
[PDF] On the Security of Mexican Digital Fiscal Documents
Hi Myriam,
I have tried the Hint from the OSS note, and still the same message. I am traveling today, but I got the right root certificates.I will update wht the path to certificates tomorrow.
Regards,
Judith
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi,
Still some problem with the production certificates for the mexico digital invoice.
SAT said there is no need to use root certificates but we have an incomplete certification path error message when we don't use the root certificates.
We managed to build the PSE file with using the AC2_SAT and ARC1_IES certificale but now we have an error when executing the function SSF_KRN_SIGN, it returns an SSF return code 205 : unknown error so we don't know what is the problem but when we execute the ZSSF_TEST_PSE program to test the digital signature, we got a signature error SSF error unknown error 205 AND in the Subject (DN) (overview of certificates from PSE), there is nothing which is not normal.
Do someone already create the production certificates can help and confirm what root certificates you use and in which order ?
best regards
Myriam
Hi,
We found the problem : certificate Name (Subject) was more than 255 characters.
Applies OSS note 1519477 and it corrected our problem.
We use root certificates found in SAT web site : AC2_SAT.cer and ARC1_IES.cer and it seems working.
Can you confirm if you use the same root certificates for production use as SAT is stating these root certificates should be used for testing purpose only and no need of root certificates for production use but without them it is not working.
regards
Myriam.
Hi Miryam,
We have a similar problem to generate the certificatios. I'm reading your post, I don't know how can I check if the subject doesn't exced 255 characters.
We have ECC 5.0, Non-Unicode system. By the way you have the SAT link to download the certificates (AC2_SAT.cer and ARC1_IES.cer )?
Kind regards,
Edmundo Rabelo
Good morning Myriam:
This is Misael from Mexico. I have a problem kind of you had some tima ago. I am making an XML file for the Mexican Invoices, but I can not get the correct Certified of digital signature. We are not using PI, we use the next code:
MYPROFILE = PROFILE.
MYPROFILEPW = PROFILEPW.
CALL FUNCTION 'SSFC_GETCERTIFICATEREQUEST'
EXPORTING
PROFILE = MYPROFILE
PROFILEPW = MYPROFILEPW
IMPORTING
CERTREQUEST_LEN = CERTREQLEN
TABLES
CERTREQUEST = CERTREQ
EXCEPTIONS
SSF_KRN_ERROR = 1
SSF_KRN_NOMEMORY = 2
SSF_KRN_NOSSFLIB = 3
SSF_KRN_INVALID_PAR = 4
SSF_KRN_NOCERTIFICATE = 5
OTHERS = 6.
IF SY-SUBRC NE 0.
RC = 1. RETURN.
ENDIF.
remove trailing \0
LASTLINE = CERTREQLEN DIV CERTREQTABLE_LINE_LENGTH + 1.
LASTOFFSET = CERTREQLEN MOD CERTREQTABLE_LINE_LENGTH.
IF LASTOFFSET > 0.
READ TABLE CERTREQ INDEX LASTLINE INTO CERTREQWA.
IF SY-SUBRC NE 0.
RC = 2. RETURN.
ENDIF.
CLEAR: CERTREQWA+LASTOFFSET.
MODIFY CERTREQ FROM CERTREQWA INDEX LASTLINE.
IF SY-SUBRC NE 0.
RC = 2. RETURN.
ENDIF.
ENDIF.
In table CERTREQ we receive the certified but when I verify it with SAT, they send me a Error message.
Did You have the same problem? Did You solve it?
Best regards and happy thanksgiving.
Misael
Hi,
When I put -inform DER to all Certifcates, including root cerftificates I don't get those errors.
But I don't understand the difference between '-inform DER -in' and just -in. Would it work that for my production system I run those commads for all cerifiticates with -inform DER?
BTW, in my example I have put twice the AC2_SAT cer file by mistake, but that is not the problem.
Thank you,
Judith
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi,
We are also in the step to import the production certifcates and we also have the message "Incomplete certification path".
Do you know which root certificates, we have to use among the ones that the SAT is providing ?
AC0 is expired.
AC1 and AC2 seems to have the same issuer and receiver
ARC0 is from Banxico related to AC0 so i don't think we should use it.
ARC1 seems OK
so we try to use only AC2_SAT and ARC1_IES (ARC to ARC, ARC to SAT and finally ours : SAT to our company) but it is not working.
Do we have to use also AC1 even if it is rather the same as AC2 ?
Thanks for your answer.
Myriam.
Hi,
I have finsihed the Mexicio Digital Inovice in our TST system, but now to get to Production OSS note 1300880 mentions to use command openssl x509 -in .. instead openssl x509 -inform DER -in for all root cerificates. I have done that, but now I am getting errors.
These are the coomands I am using:
rem convert key from DER to PEM
openssl pkcs8 -inform DER -in password_1011250847S.key -passin pass:password -outform PEM -out CSD_01.key.pem -passout pass:password
rem convert certs from DER to PEM
openssl x509 -inform DER -in 00001000000102241329.cer -outform PEM -out CSD_01.cer.pem
openssl x509 -in AC0_SAT.cer -outform PEM -out AC0_SAT.cer.pem
openssl x509 -in AC2_SAT.cer -outform PEM -out AC2_SAT.cer.pem
openssl x509 -in AC2_SAT.cer -outform PEM -out AC2_SAT.cer.pem
openssl x509 -in ARC0_IES.cer -outform PEM -out ARC0_IES.cer.pem
openssl x509 -in ARC1_IES.cer -outform PEM -out ARC1_IES.cer.pem
rem append cert and key into one file
copy CSD_01.key.pemCSD_01.cer.pemAC0_Sat.cer.pemAC1_Sat.cer.pemAC2_Sat.cer.pemARC0_IES.cer.pemARC1_IES.cer.pem CSD_01_chain.pem
rem convert pem file to pkcs12
openssl pkcs12 -in CSD_01_chain.pem -passin pass:password -export -out CSD_01.p12 -name SAT -passout pass:password
-
But I got the following errors:
C:\openssl pkcs8 -inform DER -in password_1011250847S.key -passin pass:password -outfor
m PEM -out CSD_01.key.pem -passout pass:password
C:\rem convert
certs from DER to PEM
C:\openssl x509
-inform DER -in 00001000000102241329.cer -outform PEM -out CSD_01.cer.pem
C:\openssl x509
-in AC0_SAT.cer -outform PEM -out AC0_SAT.cer.pem
unable to load certificate
7152:error:0906D06C:PEM routines:PEM_read_bio:no start line:.\crypto\pem\pem_lib
.c:650:Expecting: TRUSTED CERTIFICATE
C:\openssl x509
-in AC2_SAT.cer -outform PEM -out AC2_SAT.cer.pem
unable to load certificate
7460:error:0906D06C:PEM routines:PEM_read_bio:no start line:.\crypto\pem\pem_lib
.c:650:Expecting: TRUSTED CERTIFICATE
C:\openssl x509
-in AC2_SAT.cer -outform PEM -out AC2_SAT.cer.pem
unable to load certificate
6508:error:0906D06C:PEM routines:PEM_read_bio:no start line:.\crypto\pem\pem_lib
.c:650:Expecting: TRUSTED CERTIFICATE
C:\openssl x509
-in ARC0_IES.cer -outform PEM -out ARC0_IES.cer.pem
unable to load certificate
4128:error:0906D06C:PEM routines:PEM_read_bio:no start line:.\crypto\pem\pem_lib
.c:650:Expecting: TRUSTED CERTIFICATE
C:\openssl x509
-in ARC1_IES.cer -outform PEM -out ARC1_IES.cer.pem
unable to load certificate
1260:error:0906D06C:PEM routines:PEM_read_bio:no start line:.\crypto\pem\pem_lib
.c:650:Expecting: TRUSTED CERTIFICATE
C:\rem append c
ert and key into one file
C:\copy CSD_01.
key.pemCSD_01.cer.pemAC0_Sat.cer.pemAC1_Sat.cer.pemAC2_Sat.cer.pem+ARC0_IES.
cer.pem+ARC1_IES.cer.pem CSD_01_chain.pem
CSD_01.key.pem
CSD_01.cer.pem
1 file(s) copied.
C:\rem convert
pem file to pkcs12
C:\openssl pkcs12 -in CSD_01_chain.pem -passin pass:password -export -out CSD_01.p12 -name
SAT -passout pass:password
Loading 'screen' into random state - done
-
Did somebody get the same errors? Are my commands right? I would have to remove the it want to be sure that I have to the -inform DER from all certificates, except from the private certificate, right?
How can I solve this problem?
Thank you so much,
Judith
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
When I run the ZSSF_TEST_PSE, I get the following.
Test signature
Signature ERROR - Unknown signer or recipient
Test encryption
Encryption ERROR - Unknown signer or recipient
I have looked at note:800240 but don't see how to fix this.
Thanks,
Sherry
Edited by: Sherry Samson on Jul 29, 2010 10:37 PM
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi dear Sherry, do you have the solution to this issue?
I will be very grateful if can you tell us about the solution.
Thanks in advance.
Abraham Soto
Hello Kevin,
While generating digital invoice mexico: import certificate oss note # 1300880, I am getting the error
ERROR: Incomplete certification path -- NEED certificate of "OU=Infraestructura Extendida de Seguridad, CN=Agencia Registradora Central, C=MX, O=Banco de
I get this error is step - sapgenpse import_p12 -p SAPMXDI_12002009_500.pse -x xxx51 -z xxxx51 CSD_01.p12
Please let me know how to resolve this error.
Thanks,
Angelo.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
The certificate that I downloaded from http://www.banxico.org.mx/sistemasdepago/ies/ies_entrada.html where not correct. I had to open an OSS Message and the import of the certificates worked correcttly after SAP sended me the correct root certificates.
Hello, I Got the certificates from SAP,
AC0_SAT, AC1_SAT, AC2_SAT, ARC0_IES, ARC1_IES.
but I have a problem because one of them is expired:
AC0_SAT, Validity: 26/10/20040 to 27/10/2008.
C:\SAPGENPSE\ntintel>sapgenpse import_p12 -p CSD_01.pse -x a0123456789 -z a01234
56789 CSD_01.p12
ERROR in import_p12: (9/0x0009) af_verify_Certificates failed
ERROR in af_verify_Certificates: (101/0x0065) forward path CA Certificate expire
d (notbefore=041027050000Z, notafter=081027060000Z, now=091025165700Z)
Subject: unstructuredName=Responsable: Cesar Luis Perales Tellez, EMAIL=asis
net.sat.gob.mx, x500UniqueIdentifier=SAT970701NN3, C=MX, SP=Distrito Federal, L=
Coy
ERROR in af_check_validity_of_Certificate: (101/0x0065) Certificate expired (not
before=041027050000Z, notafter=081027060000Z, now=091025165700Z)
ERROR in af_pse_get_Certificate_static: (4130/0x1022) Can't get certificate beca
use cannot read object : "Cert"
ERROR in sec_read_PSE: (4130/0x1022) object is not in toc : "Cert"
ERROR in sec_read_object_from_toc: (4130/0x1022) object is not in toc : "Cert"
Did you have the same problem?
I will ask to SAP for the correct certificates.
This is the answer from SAP:
Thank you for the information provided.
We have sent to our customers these files but in case they are not
valid anymore I kindly ask you to access the
govenment portal for Digital Invoices to get a new one.
Please see below:
http://www.sat.gob.mx/sitio_internet/e_sat/comprobantes_fiscales/15_9849.html
And create a message for the government asking for the new valid ones.
Thank you for your cooperation.
Best regards.
I hope could get the correct ones from SAT.
Problem solved (I opened an OSS message and got the correct root certificate from SAP).
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
85 | |
10 | |
10 | |
10 | |
7 | |
6 | |
6 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.