EID 1524196 - Import certificates in ABAP and Java Version 10 Validity: 25.08.2013 - active Language English (Mester) Header Data Released On 01.032012 15.3608, Release Status Released for Customer ‘Component — SLL-NFE Nota Fiscal Electionca (NFe) Priority Recommendations / Addifonal nfo Category Consulting Symptom ‘This Note deals with the import of NFE certificates into the Key Storage Tor XML signature and verification in ABAP and Java. The following symptoms are covered: + You got a .pfx file (digital certificate with the private key), but what you need to deploy on the Pite'system isa apse file (for x” signature and validation in ABAPY” + After changing the NF-e certificate in the J2EE Key Storage the connection of the PL communication channels to the government servers is not working anymore. invalid + Receiving the following error in the PT MiL_com.sap.aii.af.ra.ms-api.DeliveryExceptior content type for SOAP: TEXT/HTML; HTTP 403 Forbidden + Regarding server authentication: if SEFAZ has changed their certificate and its chain was changed to a newer version this is causing an issue on PI not being able to establish a Connection to the SEFAZ webservices. Other Terms: SAP GRC, Nota Fiscal Electronica, SEFAZ, XI, PI, Certificate, keystore, PSE Reason and Prerequisites During the PT communication to SEFAZ the 403 response means that you could not successfully authenticate yourself. Therefore, the SOAP receiver channel shows the “invalid content type for SOAP" error meceage, because it expects a SOAP response, but gets the HTTP 403 response. SEFAZ Fequires cert ficate-baced authorization. The reason for this problem is in most cases a wrong imported certificate chain. Solution + ABAP © Please follow the instructions in attachment 'NFE_Digital_Signature_cuide'. + 22ee 2 Check that your complete certification authorites (cas) certificate chain + your private certificate is correctly Imported into the PI Keystore. The certificate chain has’ to be in the correct order. Otherwise SEFAZ will reject your request with a HTTP 403 response. The government needs to know whom they can trust, ive. that your certificate is signed from a trusted authority. Therefore you need to have the complete certificate chain in your keystore, We attached an example (our details were removed) for your convenience to this message (see certificate chain. pdt). It shows, that additionally to your private key, you need to import the governments, (SEFAZ) root certificate. Afterwards, you have to import an intermediate certificate that shows that SEFAZ trusts the Security Provider. And Finally, the certificate that shows that the Security Provider trusts the issuer of your certi Then the certificate chain is complete and the government knows that you're cer’ ouhere the ca certificates just dounload please refer to the attached document “structure of Ich “brazilcpdfé and choose your secursty Provider (e.g. Certasign). when the CA certificates are, i Pecady Formac refer Yo the attached docunent.*P/e certitveate export: pdf” to expert Shen tn’ seer forma: 2 Please import your private certificate with the CA certificates chain one by one via the Visual Administrator for Netweaver 700 or NetWeaver Administrator (NWA) Tor Netweaver 710 Cin the correct order). alternatively you can import the certificates with Internet Explorer and export them as one PFX including the certificate chain. Tn attachment "Generate Certificate chain-pdf” is described how the private certificate has to be imported into the Personal folder of the Windous key store. The AC certificates have to be imported the same way, but in different folders (automatically). Then you can load the exported PFX into the328E key storage view (e.g. NFE). © For the server authentication of SEFAZ import the SEFAZ.cers into Keystore View TrustedcAs and restart the instance. References This document refers to: SAP Notes. 662340 SSE Encryption Using ine SAPCopiokb This document is referenced by: SAP Notes (1) 662340 SSF Encryption Using ine SAPCrypioky Attachments ‘Hehe gE ine Te Generate Certificate Chain pdf '562_ applicationipat NEE Digital Sionature_ Gude nd 831 | applicationipat certficate_chain oat 102 | applicatonipdt ‘PZB certificate export pat 108 | appicationipd