Skip to Content

With the acquisition of a company in Mexico we came across to the situation where we need to implement CFDI solution for Mexico once we bring all their data into SAP from their 3rd party system.

I am going to share my experience of CFDI e-invoicing (Mexico) implementation. It was not that easy task even there are some SAP notes and wiki page available on this topic. This could be due to document translation or maybe something else. This makes me write this document and share with you my experience of this implementation.

CFDI which stands for Comprobantes Fiscal Digital por Internet, The electronic billing schema defined by the Mexican federal tax code.

As a part of BASIS team, we need to implement PSE file into SAP system to make sure we can generate IDOC for the government website.

Master SAP note: 2327391 – FAQ of Mexico’s Digital Invoice CFDI 3.3

What do I need on my computer to make this happen?

You need to install Open SSL software on your computer. You can get multiple OpenSSL software but I prefer to get it from below.

Once you install and configure* this software on your computer you are almost ready to generate the pse file 🙂

*Note: If you open command prompt on your computer and run command ‘OpenSSL’ you should able to see screen as below

If this does not work please add system variable PATH of bin directory for example – C:\OpenSSL-Win64\bin and re-open command prompt and try again


Generation of file:

Working on your Computer :


Download the root certificates from the link below (Root certificates to complete your certificate** chain which you received form govt. website)

For more information please go through SAP note:1896038 – Certificate import in Mexico’s Digital Invoice CFDI

Example is as below…


**Note: Your company certificate provided by your business tax manager going on the government website and password provided of the certificate at the time of certificate generation


Convert all certificate*** files to .pem files by running commands below

openssl x509 -inform DER -in Certificate1.cer -outform PEM -out Certificate1.cer.pem
openssl x509 -inform DER -in Certificate2.cer -outform PEM -out Certificate2cer.pem

***Note: If files are in .crt you need to convert them in .cer by just open file >> Details >> Copy to file >>DER en….


Convert key file to .pem (This file will be inside zip file provided by business person or Tax Manager)

Run command below to convert key file to .pem, You need password**** provided with certificate

openssl pkcs8 -inform DER -in CSD_ECS_Facturacion_Veracruz_XXXX_XXXX_XXX.key -passin pass:<password> -outform PEM -out CSD_ECS_Facturacion_Veracruz_VCXXXX_XX_XX.key.pem -passout pass:<password>

****Note: Step 1 password

This will generate . pem file from key file


Convert .cer file to .pem (This file will be inside zip file provided by business person or Tax Manager)

openssl x509 -inform DER -in CSD_ECS_Facturacion_Veracruz_XXXX_XXXX_XXX.cer -outform PEM -out CSD_ECS_Facturacion_Veracruz_XXXX_XXXX_XXX.cer.pem

This command will create .pem file



Copy all .pem files to one file by running command below

copy CSD_ECS_Facturacion_Veracruz_VCXXXX_XX_XX.key.pem+CSD_ECS_Facturacion_Veracruz_XXXX_XXXX_XXX.cer.pem+Certificate1.cer.pem+Certificate2.cer.pem Your_FIlename.pem

This will create new file copying all .pem files in to one new .pem file

(in our example: Your_FIlename.pem)


Export .pem file to .p12 file

Run command below

openssl pkcs12 -in Your_FIlename.pem -passin pass:<password> -export -out Your_FIlename.p12 -name SAT -passout pass:<password>

This will create .p12 file and use same password as before


Copy .pem file on server sec directory++


++Note: This is your SAP ERP server and incuding dialog instances if you have any

Working on SAPServer :


Login to server as <sidadm> user

X:\usr\sap\<SID>\DVEBMGSXX\exe\sapgenpse import_p12 -p Your_new_PSE__CLIENT.pse -x <password> -z <password> Your_FIlename.p12

This will create new file in to server name : Your_new_PSE__CLIENT.pse


Rename file Your_new_PSE__CLIENT.pse to SAPMXDI_ERM_Sellos_Facturacion_XXX.pse

Note: XXX is client number in the file name

If you have more than one certificates you need to follow same steps again in our case we had ERM and ECS files so we created 2 files



Import credentials login to server with <sidadm> user

sapgenpse seclogin -p SAPMXDI_ERM_Sellos_Facturacion_XXX.pse -x <password>-O DOMAIN\SAPService<SID>
sapgenpse seclogin -p SAPMXDI_ECS_Sellos_Facturacion_XXX.pse -x <password> -O DOMAIN\SAPService<SID>

Note: Password is same as you use on previous commands

Working in SAP GUI :


Testing can be done through program IDMX_DI_CHECK_SSF_LIBRARY in your SAP system through SA38 TCode

SAP note: 1376355 – Digital Invoice Mexico: pse-file test

Note: Make sure you take a good note of your Certificate expiration date to go through same process again.

Conclusion is It seems easy to configure but so many steps and moving parts to join in order to make this work.

Hope you enjoy reading this technical document

Thank you

Yogesh Patel

To report this post you need to login first.

Be the first to leave a comment

You must be Logged on to comment or reply to a post.

Leave a Reply