Certificate used for Suministro Inmediato de Información (SII)

Can someone please answer this.
We are sending invoices to SII via workday server (via SOAP) for 4 different companies.
Recently we received new certificate (with password) for 1 of our company having certificate issuer FNMT-RCM.
and this certificate do not have any private key (as it’s not exportable).
When we connect to SII it’s erroing out due to Bad key.
Can someone throw some light what can we do when we dont have any private key in certificate.
I dint understand this concept : " Essentially the users must tell the spanish tax office that they authorize a third party to report their invoices to the SII webservice."
will this work in our case? if yes what should we do?

This is strange, normally the certificate is composed by both the key and the certificate. I’ve seen this pattern in all certificates we used.

The module documentation includes the comands to extract such fields from the FNMT certificate. See: Configuration — Tryton module that sends invoices to the Spanish SII webservice

No because In any case you need to identify to the tax authorities using both the private key and the unencripted certificate. What you can do here is to use a certificate of a different party and autorize such company to send the data on behalf of the company that is issuing/receiving the invoices. This is whtat is refering on the mentioned concept.

What is the format of this file?

certificate is in .p12 .we do have other company certificates in .p12 which works fine

I myself exported this certificate from FNMT-RCM .I do selected option :Export private key.
But when i try to read that certificate via unix certutil command i see below inside certificate. it says no private key inside.
what can be done here to have Private key inside the certificate. (as i mentioned for other companies it’s working fine with SII as having different certificate)


I guess you have to ask to the provider to give you the private key.

I see that your certificate is issued for 12 years, where normally they are only valid for two years (in case of companies) or four years (in case of individuals). So it seems you are mixing files.

For example in my firefox (where I have installed the certificate) I can download this file by using the button “Backup certificate”. Firefox must be able to open the download file and import it as identity certificate. Note that I mention firefox because normally the file is downloaded only once from the FNMT and installed to the machine it was downloaded to. From there you can export a backup (again a .p12 file) and encrypt it using a custom password. If you are using windows, the certificate can be exported using the certificate manager.

Which command are you using to inspect? I can try to execute it on my certificate to compare your values if that helps.

That info is from the ROOT CA “AC RAIZ FNMT-RM”
Serial number is 5D:93:8D:30:67:36:C8:06:1D:1A:C7:54:84:69:07

In fact certificate was issued on 21st march which is what i can see in 3rd certificate.(i havent posted entire screenshot of nested 3 certificates)
NotBefore: 21/03/2024 11:32
NotAfter: 21/03/2026 11:32

I used unix command :
certutil -p password -dump C:\Users\user\Desktop\certificate.pfx > C:\Users\user\Desktop\certificate.txt

Its strange you have 3 certificates, I only have one.

Maybe you downloaded the certificate of the webserver (normally they have several chained certificates) instead of the real certificate?

Sorry but I’m unable to run such command as my certutil is different (it just to manage the certificate database).