SAP Basis Tech Supports

Symptom
You are creating billing documents for a Mexican sales organization and you want to use the digital invoice functionnality to generate the digital signature (SELLO DIGITAL) in the system. This note describes the steps to convert and to import the certificate and private key from the Mexican SAT.
Please use the test certificates which are included in the attachments to test the solution during the pilot phase tests.
Other terms
IDMX_DI, IDMX, electronic invoice, digital invoice, Mexico
Reason and Prerequisites
Prerequisite note to generate an electronic signature
Solution
Please follow the steps described below.
Prerequisites
1. Download the LATEST version of the SAP tools SAPGENPSE and SAPCRYPTOLIB (see note 455033 and note 397175)2. Install open source OpenSSL toolkit from www.openssl.org (optional see details below).3. Unzip the attached file Certs_AC_IES_Pruebas.zip including the root certificates AC_SAT2048.cer and ARC_IES_DNZ1.cer in a local directory.4. Unzip the attached file Cer_Sello.zip including the aaa010101aaa_CSD_01.key (PKCS#8 format) file and the aaa010101aaa_CSD_01.cer (X.509v3 format) file in a local directory.5. If the release of the installed SAP_BASIS component is lower than 700, check the value of SSF profile parameter ssf_md_alg in accordance with your installed security product (SAP Cryptographic Library). The value must be set to MD5 (the standard value is SHA1).

Attention:
The attached files are working demo files that are currently valid. They cannot be utilized in productive use. You need to concatenate your legal private key, private certificate, and the relevant legal root certificate (issuer) to the productive PSE file.
You can find the real root certificates via the following link:
http://www.banxico.org.mx/sistemasdepago/ies/ies_entrada.html.
To get the ACx and ARCx root certificates you need, enter
“Agencias Registradoras y Certificadoras Autorizadas”
- Agencias Registradoras
- Agencias Certificadoras
The root certificates you find there are using the PEM format already.
That means a slightly different command to create the PKCS12 file
as you use to create the demo pse file.
If you want to ask questions to the authorities, use the following
link:
https://portalsat.plataforma.sat.gob.mx/psp/psatpp/CUSTOMER/CRM_S/c/RC_SELF_SERVICE.RC_CASE_SW_SS_RPT.GBL?DISP_TMPL_ID=RC_SUPPORT&CASE_TYPE=OR&3& FolderPath=PORTAL_ROOT_OBJECT.SAT_CONTRIBUTOR_ATTENDANCE.SAT_CA__DIRECTION.SAT_CR_RC_CASE_SW_SS_RPT_OR& IsFolder=false&IgnoreParamTempl=FolderPath%2cIsFolder

File Conversion
The storage of the electronic certificate and the private key is made in PSE format which is a proprietary format of SAP and SECUDE. A direct conversion of the received Mexican certificate file (using format x509.v3) and the private-key file (using format PKCS#8) into a file in PSE format is not supported by SAP.
Only the PSE format enables the secure storage of the certificate and the private key as a single file in the SAP system.

The conversion is done in two steps.
First you convert the PKCS#8 and X.509v3 files from the Mexican SAT into a PKCS#12-format file.In a second step you convert the PKCS#12-format file into a PSE file.

Note that SAP does not provide a standard conversion tool to support the first step.
The second step is supported by the SAP-tool SAPGENPSE.

Please find below an example to perform both conversion steps
Conversion into PKCS12 File
Following the example below you can use e.g. the open source software OPENSSL (the OpenSSL toolkit can be downloaded and installed from www.openssl.org).

**********************************************************************
rem convert key from DER to PEM
openssl pkcs8 -inform DER -in aaa010101aaa_CSD_01.key -passin pass:a0123456789 -outform PEM -out CSD_01.key.pem -passout pass:a0123456789
rem convert certs from DER to PEM
openssl x509 -inform DER -in aaa010101aaa_CSD_01.cer -outform PEM -out CSD_01.cer.pem
openssl x509 -inform DER -in AC_SAT2048.cer -outform PEM -out AC_SAT2048.cer.pem
openssl x509 -inform DER -in ARC_IES_DMZ1.cer -outform PEM -out ARC_IES_DMZ1.cer.pem
rem append cert and key into one file
copy CSD_01.key.pem+CSD_01.cer.pem+AC_SAT2048.cer.pem+ARC_IES_DMZ1.cer.pem CSD_01_chain.pem
rem convert pem file to pkcs12
openssl pkcs12 -in CSD_01_chain.pem -passin pass:a0123456789 -export -out CSD_01.p12 -name SAT -passout pass:a0123456789
***********************************************************************
Conversion into PSE File
Use the SAPGENPSE tool to import the file in PCKS#12 format using the command import_p12 as follows:
rem convert pkcs12 file to pse
sapgenpse import_p12 -p CSD_01.pse -x a0123456789 -z a0123456789 CSD_01.p12

For more information, see SAP Library for SAP NetWeaver in SAP Help Portal at http://help.sap.com under SAP NetWeaver Library -> SAP NetWeaver by Key Capability -> Security -> Network and Transport Layer Security -> Using the SAP Cryptographic Library for SNC -> Configuring SNC for Using the SAPCRYPTOLIB Using SAPGENPSE -> Additional Functions -> Importing a PKCS#12 File.
Difference when creating a productive pse file
Use command
openssl x509 -in AC2-Sat.cer -outform PEM -out AC2-Sat.cer.pem
instead of
openssl x509 -inform DER -in AC2-Sat.cer -outform PEM -out AC2-Sat.cer.pem,
if the file AC2-Sat.cer is stored in PEM format already to create a PEM file of the root certficate needed to create the PKCS12 file.
Storage of the PSE file
Storage path
Save the PSE file in the subdirectory sec, which is located in the instance directory $DIR_INSTANCE/sec on each server that you want to use to sign digital invoices.
You must manually copy the PSE file to each server that you want to use to generate digital invoices.
Server’s credentials
You must generate the server’s credentials ON EACH server. Use the SAPGENPSE tool as follows.
*******************************************************************
sapgenpse seclogin -p <targetPSEfilename>.pse -x <target password>
*******************************************************************
This enables the system to access the PSE file on a specific server.
The signing process will fail if you copied the credential from another server.

In line with the example above for converting the PCKS#12 file into a PSE file, you would enter:
sapgenpse seclogin -p PSE.pse -x 12345
You need to create the credentials with the user which runs the work processes of the SAP system. On Linux/Unix this is usually <SID>adm.
On Windows however, this is the user of the SAP service, usually SAPService<SID>. Use option -O of “sapgenpse seclogin” to set the right user.
For more information, see SAP Library for SAP NetWeaver in SAP Help Portal at http://help.sap.com under SAP NetWeaver Library -> SAP NetWeaver by Key Capability -> Security -> Network and Transport Layer Security -> Using the SAP Cryptographic Library for SNC -> Configuring SNC for Using the SAPCRYPTOLIB Using SAPGENPSE -> Creating the c Credentials Using SAPGENPSE.
Naming convention for PSE File Name
The target PSE file name that you enter must use the following naming convention. Each part of the file name is separated using an underline and the name is case sensitive:
Prefix: always SAPMXDI_
PSE name: you can freely choose the PSE name, although the entire file name must not exceed 132 characters
Suffix: following the underscore sign, a combination of the client and file extension preceeded , for example, _100.pse
For example, you create the following PSE file for sales organization MX01:
SAPMXDI_SalesOrgMX01_100.pse

Further help about the SSF enviroment and
testing the configuration
See note 800240 to get further information about the SSF environment
and the possibilities to test the configuration.