Mexico’s Digital Invoice CFDI
With the acquisition of a company in Mexico we came across to the situation where we need to implement CFDI solution for Mexico once we bring all their data into SAP from their 3rd party system.
I am going to share my experience of CFDI e-invoicing (Mexico) implementation. It was not that easy task even there are some SAP notes and wiki page available on this topic. This could be due to document translation or maybe something else. This makes me write this document and share with you my experience of this implementation.
CFDI which stands for Comprobantes Fiscal Digital por Internet, The electronic billing schema defined by the Mexican federal tax code.
As a part of BASIS team, we need to implement PSE file into SAP system to make sure we can generate IDOC for the government website.
Master SAP note: 2327391 – FAQ of Mexico’s Digital Invoice CFDI 3.3
What do I need on my computer to make this happen?
You need to install Open SSL software on your computer. You can get multiple OpenSSL software but I prefer to get it from below.
Once you install and configure* this software on your computer you are almost ready to generate the pse file 🙂
*Note: If you open command prompt on your computer and run command ‘OpenSSL’ you should able to see screen as below
If this does not work please add system variable PATH of bin directory for example – C:\OpenSSL-Win64\bin and re-open command prompt and try again
Generation of file:
Working on your Computer :
Download the root certificates from the link below (Root certificates to complete your certificate** chain which you received form govt. website)
For more information please go through SAP note:1896038 – Certificate import in Mexico’s Digital Invoice CFDI
Example is as below…
**Note: Your company certificate provided by your business tax manager going on the government website and password provided of the certificate at the time of certificate generation
Convert all certificate*** files to .pem files by running commands below
openssl x509 -inform DER -in Certificate1.cer -outform PEM -out Certificate1.cer.pem
openssl x509 -inform DER -in Certificate2.cer -outform PEM -out Certificate2cer.pem
***Note: If files are in .crt you need to convert them in .cer by just open file >> Details >> Copy to file >>DER en….
Convert key file to .pem (This file will be inside zip file provided by business person or Tax Manager)
Run command below to convert key file to .pem, You need password**** provided with certificate
openssl pkcs8 -inform DER -in CSD_ECS_Facturacion_Veracruz_XXXX_XXXX_XXX.key -passin pass:<password> -outform PEM -out CSD_ECS_Facturacion_Veracruz_VCXXXX_XX_XX.key.pem -passout pass:<password>
****Note: Step 1 password
This will generate . pem file from key file
Convert .cer file to .pem (This file will be inside zip file provided by business person or Tax Manager)
openssl x509 -inform DER -in CSD_ECS_Facturacion_Veracruz_XXXX_XXXX_XXX.cer -outform PEM -out CSD_ECS_Facturacion_Veracruz_XXXX_XXXX_XXX.cer.pem
This command will create .pem file
Copy all .pem files to one file by running command below
copy CSD_ECS_Facturacion_Veracruz_VCXXXX_XX_XX.key.pem+CSD_ECS_Facturacion_Veracruz_XXXX_XXXX_XXX.cer.pem+Certificate1.cer.pem+Certificate2.cer.pem Your_FIlename.pem
This will create new file copying all .pem files in to one new .pem file
(in our example: Your_FIlename.pem)
Export .pem file to .p12 file
Run command below
openssl pkcs12 -in Your_FIlename.pem -passin pass:<password> -export -out Your_FIlename.p12 -name SAT -passout pass:<password>
This will create .p12 file and use same password as before
Copy .pem file on server sec directory++
++Note: This is your SAP ERP server and incuding dialog instances if you have any
Working on SAPServer :
Login to server as <sidadm> user
X:\usr\sap\<SID>\DVEBMGSXX\exe\sapgenpse import_p12 -p Your_new_PSE__CLIENT.pse -x <password> -z <password> Your_FIlename.p12
This will create new file in to server name : Your_new_PSE__CLIENT.pse
Rename file Your_new_PSE__CLIENT.pse to SAPMXDI_ERM_Sellos_Facturacion_XXX.pse
Note: XXX is client number in the file name
If you have more than one certificates you need to follow same steps again in our case we had ERM and ECS files so we created 2 files
Import credentials login to server with <sidadm> user
sapgenpse seclogin -p SAPMXDI_ERM_Sellos_Facturacion_XXX.pse -x <password>-O DOMAIN\SAPService<SID>
sapgenpse seclogin -p SAPMXDI_ECS_Sellos_Facturacion_XXX.pse -x <password> -O DOMAIN\SAPService<SID>
Note: Password is same as you use on previous commands
Working in SAP GUI :
Testing can be done through program IDMX_DI_CHECK_SSF_LIBRARY in your SAP system through SA38 TCode
SAP note: 1376355 – Digital Invoice Mexico: pse-file test
Note: Make sure you take a good note of your Certificate expiration date to go through same process again.
Conclusion is It seems easy to configure but so many steps and moving parts to join in order to make this work.
Hope you enjoy reading this technical document