Skip to Content

Add new web certificate in cacerts file for CFDI Electronic Document Mexico





The functionality of Electronic Documents CFDI for Mexican Localization provided by SAP Business One can be affected by changes on the PACs companies that provide the service ‘sello’.


When the functionality was released, in SAP Note 1580236 there was an attachment containing a cacerts file with all the web certificates for Edicom, Levicom and Tralix.


This cacerts, might contain a certification that even if it was valid when the SAP Note 1580236 was released, can experience changes or expire for one of the PACS


Here I show a sample related to a recent case with Edicom, on how to add the new certification:


On December 2012 users of PAC Edicom have received an e-mail/letter telling the following:


The web certificate used by Edicom to secure the communication channel to will expire on Dec. 23th. This site contains our Digital Tax Stamps Generation Service for CFDI, that you have hired/accredited with us.
A new certificate has been created  (download certificate) and it will be activated on Dec. 13th 09:00 (UTC-6)

This communication came together a link from where to download the new web certificate


How can I add this new web certificate to the existing certificates contained in the cacerts file of the SAP Note 1580236 ?

UPDATE: Later after this post was created, it was decided to include the updated cacerts in SAP Note 1580236, just for the use of customers that are in a transitory maintenance and use scenario versions that did not include the cacerts in the scenario package itself.

Never the less I kept this blog in case that it was required.




Edicom has provided a link to download the new certificate by e-mail, contact with them if not:


the file that they provide is called  ‘’ contained in zip file, or it can have a different name in a new change


You can download the zip file containing the file called in this example ‘’ in any place that you consider right.






Double click in the file ‘’ and follow all steps as marked by the import wizard.



You can trigger this installation as well by right click on the file and select option ‘Install Certificate’




The certificate file ‘’ as it is needs to be converted in .cer file in order to be added to the current ‘cacerts’ file that SAP Business One Support provided in the SAP Note 1580236


3.1 Open the direct command as an administrator and type the command ‘certmgr.msc’ and press ‘ENTER’


This will open the certificates browser window



3.2 Browse to the folder ‘Other People/Certificates’ where you can find the certificate file ‘’



Right click with the mouse on the file ‘’ and in ‘All Tasks’ select ‘Export’ to open the export wizard



3.3 After press ‘Next’, in following window select the option ‘Base-64 encoded X.509 (.CER)’



3.4 After pressing ‘Next’, a browser will open to give a name to the .cer file that will be created and as well  the path to where you want to store the file.


In this example I will store it in the same place where I initially saved the ‘’ and I will call it ‘EdicomNew’ and press ‘Save’



3.4 press ‘Next’ until the message telling ‘Export was successful’ is displayed, ad press ‘Finish’.


As a results of this you have a new file called EdicomNew.cer in the selected folder





4.1 before going any further, do copy the current cacerts that you downloaded from the note in somewhere safe, in my example I will store it in the same place where I am storing everything



4.2 Copy the .cer file created in step 3.4, in my example ‘EdicomNew.cer’ into the folder ‘bin’ of your java application folder.


In my example, I will use the java that is provided with SAP Business One Integration, but you may use a different java that you have installed in your machine:


C:\Program Files (x86)\SAP\SAP Business One Integration\sapjre_6_64\jre\bin



4.3 Ensure that in that java bin folder a file called ‘keytool.exe’ exists


4.4 Open the direct command as an administrator and and change the directory to where the keytool.exe is located:


syntax:  cd [the path]


my example:




C:\Program Files (x86)\SAP\SAP Business One Integration\sapjre_6_64\jre\bin




4.5 Type ‘keytool.exe’ and press enter, the line of usable commands for keytool should open, from which we see the syntax for the instruction that we will need to execute:



4.6 In the same root type the following command and press ‘ENTER’


keytool -importcert -file <Thefilecreatedin step 3.4> -keystore “<full path to the file where the cacert was stored in step 4.1>”


In my example:


keytool -importcert -file EdicomNew.cer -keystore “C:\InstalationPackage\SAPBusinessOnePatches\CacertEdicomnew\cacerts”


4.7 Here the command prompt will ask you for a password, do enter ‘changeit’ and press ‘ENTER’



4.8 the line of command will ask you if you trust, you must type ‘yes’ and press ‘ENTER’



A message must say that certificate was added to keystore



If you check now the cacerts file of step 4.1 you will see that is not anymore date 19/05/2012 but the day of today 13/12.2012





swap the current cacerts that is located in the security folder of java, that was used until now, for the new cacerts.


We do recommend renaming the existing one before swap



You can see here that I backed up the cacerts that was in use ‘cacertsNote’, and as well the original cacerts that came with the java installation ‘cacertsOriginal’




To ensure changes in java have been taken by Integration solution for SAP Business One




In Integration Framework, in SLD select the SLD of Edicom MX-WS-EDICOM and test connection to ensure that new web certificate is ok



Last Reminder


PACs can change thieir data connection: destProtocol, destHost, desPort, desPath to provide this service, and you should contact with the PAC to ensure that your data for connection are correct, and for the right service and that you have the right user name and password

You must be Logged on to comment or reply to a post.
  • Hi all:

    I have removed first picture displayed in 



    It displayed the wizard on ‘export’, rather than install . That could cause some confusion because the picture didn’t match the description.

    I didn’t put another picture, I think is not required.

  • Hello Jose

    Thanks all for this information.

    I just have a little question, i have generated my cacerts file in one server, can i replace it in other server or do i need to do all the process again?

    Thanks again and regards

  • Edicom, cambio el certificado para el Webservice el 4 de Mayo:

    A) Para aquellos que esteis en 9.1 parche 06 o superior, SAP ha actualizado el scenario con el certificado actualizado

      Teneis que ir a la nota de SAP

    2271455, bajaros el archivo adjunto (si estais en 9.1) o el  (si estais en 9.2) e importarlo en Integration Framework

    (como referencia, en la nota veis que se ha adjuntado un archivo jks , que es la parte del scenario que han modificado. No lo necesitais a no ser que vosotros mismos quisierais modificar el scenario manualmente, que no lo aconsejo)

    B) Para los que esteis en 9.1 parche 5 o inferior (8.82),  no se proporciona desde soporte en Nota de SAP ningún cacerts actualizado, ya que los scenarios que quedan dentro de soporte son los arriba mencionados, solo para 9.1 parche 6 o superior, con lo cual , no queda mas remedio que usar el procemiento manual arriba explicado

    tanto en un caso A o B, no os olvideis de reiniciar el servicio de Integration Service para estar seguro de que los cambios se grabaron

    • El caso B también es resoluble, utilizando la herramienta keytool de java para importar el certificado de EDICOM dentro del almacén de confianza de B1iF.

      Este procedimiento es un poco mas “artesanal”, pero permite no tener que hacer una actualización de todo solo por el cambio de certificado.

      • Hola David buenas tardes.   Nosotros estamos en el escenario B.  Hicimos todo el procedimiento, tal y como se explica al inicio y no nos funcionó.  Me puedes explicar a groso modo como poder llevar a cabo lo que tú recomiendas?  Garcias

        • Buenos dias Fernando,

          Disculpa, el procedimiento al que me refería es el expuesto en esta entrada por Jose Antonio, es decir, importar el nuevo certificado de EDICOM dentro del cacerts que utilice tu B1iF.

          Debes estar seguro que el cacerts que has utilizado corresponde a la versión del JDK que esté utilizando el B1iF (32 o 64 bits, por defecto el de 64 bits).

          Si todo lo has hecho correctamente y no te funciona, seguramente el cacerts no era el lugar correcto donde importar el certificado.

          Busca si en tu B1iF dispones de la opción Tools->Control Center->Configuration->Certificate Administration.

          Si tienes esta opción, importa el certificado dentro de la bizstore (fíjate la URI que marca la configuración del sistema EDICOM en el SLD).

          Si no tienes esta opción, en qué versión de SAPB1 estas? Qué versión del escenario eInvMX tienes instado?

          Con esta información, si quieres, te voy ayudando sin problemas.


  • En referencia al cambio de certificado de EDICOM:

    Estando en 9.1 PL06 o superior, también es fácil y rápido importar el certificado de EDICOM directamente a B1iF utilizando en administrador de certificados.

    Es lo que hice y funcionó perfectamente.

    • Eso tambien es correcto, pero:

      a)  es presuponer un cierto conocimiento de B1i que no siempre tienen los clientes,

      b) Implica cierta manipulación del scenario (el jks, es parte del contenido de los scenarios 2.0.x y 3.0.x )

      • No se requiere ninguna modificación del escenario. És justamente aprovechar una característica que incorporan las nuevas versiones de B1iF (administración de certificados).

        En cualquier caso, en mi opinión y por mi experiencia, ni la actualización del escenario ni la importación de certificados es algo que se deba dejar a merced del cliente.

      • No, el procedimiento descrito en esa nota es ciertamente “complejo”.

        EDICOM envió un correo advirtiendo del cambio de certificado y adjuntando unos enlaces para descargar los certificados necesarios (el propio del servidor, el intermedio y el raiz).

        El intermedio y el raiz ya estaban correctos dentro del B1iF, pues son certifcados que utiliza EDICOM para firmar los del servidor, que justamente es el que caducaba ayer.

        Me bajé el certificado y lo importé al B1iF:


  • Buen dia Jose Antonio tengo el SAP 8.82 y tengo problemas en la facturacion realice los pasos que usted menciona pero al momento de llegar al paso 4.8 me llega este mensaje de error error de keytool: C:\Program Files (x86)\SAP\SAP Business One Server\B1_SHR\XML\” (acceso denegado)

    no se si lo estoy haciendo mal podria asesorarme porfavor

    • Necesitas iniciar sesión en el Sistema Operativo como Administrador, ó ejecutar la terminal con privilegios de administrador.