Digital Certificates

How to configure the digital certificates to sign eSocial

events XML files and connect to restricted production
environment
CUSTOMER
TABLE OF CONTENTS
INTRODUCTION ............................................................................................................................................... 3
Prerequisites .................................................................................................................................................... 3
CREATE PSE FILE ........................................................................................................................................... 4
ENTER DIGITAL CERTIFICATE FOR SIGNING XML FILES ......................................................................... 4
Create SSF Application ................................................................................................................................... 4
Set Application Parameters ............................................................................................................................ 5
Import PSE file ................................................................................................................................................. 6
ENTER DIGITAL CERTIFICATE FOR CONNECTING THE ESOCIAL RESTRICTED PRODUCTION
ENVIRONMENT .............................................................................................................................................. 10
TEST THE CONNECTION WITH ESOCIAL RESTRICTED PRODUCTION ENVIRONMENT ..................... 18

2
INTRODUCTION
In order to send events to eSocial government systems, the XML files must be signed using a digital certificate
compliant with ICP-Brasil standards. The connection between the SAP system and the government's servers
uses the same certificate to secure the data transmission.
To obtain the digital certificate, you should interact with a certification authority. You can find a complete and
updated list of certification authorities on the National Information Technology Institute (ITI Brazil) website:
http://www.iti.gov.br.

The certification authorities can issue certificates in the form of a physical token; so, make sure you request
the digital certificate that can be used for e-commerce transactions in PKSC#12 format.
This document aims at helping customers to import the digital certificates in the SAP system to sign XML files
and connect to the eSocial restricted production environment.

Prerequisites
You have authorization to manage certificates on the STRUST transaction.

To prevent that the XML signature check fails if inclusive canonicalization is specified, the following SAP
Notes must be applied/reviewed:
• 510007 - Setting up SSL on Application Server ABAP
• 662340 - SSF Encryption Using the SAPCryptolib
• 2097272 - Error in XML canonicalization
• 2291377 - SAML2: Error in Signature Validation
• 2427966 - Fixes in CommonCryptoLib 8.5.10

3
CREATE PSE FILE
Use tool SAPGENPSE to create PSE on the command prompt from the existing private certificate, as
described in SAP Note 662340 - SSF Encryption Using the SAPCryptolib.

sapgenpse import_p12 -p <path>file.pse bras.pfx

Recommendations:
• In case of an error that the .pfx is missing the certificate chain, you can complete the chain by
adding the missing certificates with option '-r'. The command line should look like this:

sapgenpse import_p12 -r SerasaACPv2.cer -r ICPBrasilv2.cer -p <path>file.pse bras.pfx

• Inform the full path for the PSE to be created.

• If asked for a PSE PIN, enter the pin value or choose Return.

ENTER DIGITAL CERTIFICATE FOR SIGNING XML FILES

To configure the SSF application, follow these steps:

Create SSF Application

1. Access transaction SE16.

2. Insert a new entry in the SSFAPPLIC table with the following field values:

• APPLIC = 'ZESO01' (Note that this is an example name. You can enter your own APPLIC name,
and use this name all over the process.)
• B_TOOLKIT = 'X'
• B_FORMAT = 'X'
• B_PAB = 'X'
• B_PROFID = 'X'
• B_PROFILE = 'X'
• B_HASHALG = 'X'
• B_ENCRALG = 'X'
• B_INCCERTS = 'X'
• B_DETACHED = 'X'
• B_ASKPWD = ' '
• B_DISTIB = 'X'
• DESCRIPT = <description of the SSF-application>

4
Set Application Parameters
3. Access transaction SSFA and create a configuration for the application you created on step 2.

a. Fill the following field values:

• Formato SSF: PKCS1-v1.5 Padrão internacional PKCS#1 (enchimento padrão)
• Algoritmo hash: SHA256
b. Verify if the remaining fields are filled with default values according to the figure above.
c. Save the record.

5
Import PSE file
1. Access transaction STRUST.
2. Double click on File.

6
3. Select the PSE file previously created.

7
4. At this moment, the certificate is imported in the transaction.

8
5. Associate the certificate to the SSF Application ZESO01 by choosing PSE  Gravar como.

6. The data is saved.

9
ENTER DIGITAL CERTIFICATE FOR CONNECTING THE ESOCIAL RESTRICTED PRODUCTION
ENVIRONMENT

1. Access transaction STRUST.

2. Create an SSL Client by choosing Ambiente  Identidades SSL Client

10
3. Double click on File.

11
4. Select the PSE file previously created

12
5. At this moment, the certificate is imported in the transaction.

13
6. Associate the certificate to the SSL Client ZESO01, option Mandante SSL, by choosing PSE 
Gravar como.

7. The SSL client is saved.

14
8. Get the public certificate of eSocial URL service at
https://webservices.producaorestrita.esocial.gov.br/
Web browsers like Google Chrome and Firefox have the feature to obtain the certificate.
9. Add the certificate of restricted environment service by accessing transaction STRUST, then
choosing Certificado  Importar.

15
10. At this moment the certificate is imported. Choose Incluir na lis.certificados, according to the figure
below.

16
11. The certificate must appear in the Lista de Certificado field.

12. Save the changes.

13. The tag ideTransmissor of batch XML must contain the same CNPJ as the digital certificate used to
connect with the government system. In case you transmit XML files to the government using a
certificate generated for a different company that generates and signs the events, you need an
additional step. The Determinar o número de inscrição para o transmissor do lote (37NTR) feature
allows you to configure a different CNPJ to be informed in the node ideTransmissor of batch XML.

17
TEST THE CONNECTION WITH ESOCIAL RESTRICTED PRODUCTION ENVIRONMENT

1. Access transaction SM59.

2. Create a RFC type G. Fill the following field values:
• Destino RFC: ESOCIAL_PREPROD
• Descrição 1: ESOCIAL_PREPROD

18
3. Fill the following field values under the tab Configurações técnicas:
• Host destino: webservices.producaorestrita.esocial.gov.br
• Nº Serviço: 443
• PrefCaminh: /servicos/empregador/enviarloteeventos/WsEnviarLoteEventos.svc
• Host proxy: customer proxy host
• Serviço proxy: customer proxy port

19
4. Fill the following field values under the tab Logon e Segurança:
• SSL: ativo
• Certificado SSL: ZESO01

Verify if the remaining fields are filled with default values according to the figure below:

20
5. Save the record.
6. Test the connection using the button Teste Conexão.
7. If the result is according the figure below, the certificate configuration is properly done.

8. If the connection fails, review all configurations according to this document. Additionally, check the
SAP Note 510007 - Setting up SSL on Application Server ABAP. This SAP Note describes all
configurations and parameters that can impact the connection. The following items can be highlighted
from this SAP Note:
a. Enable the HTTPS service on transaction SMICM.
b. Check/Update the library CommonCryptoLib (recommended version 8.4.49).
c. Adjust the parameters ssl/ciphersuites and ssl/client_ciphersuites on transaction RZ10.
Recommended values:
i. ssl/ciphersuites = 135:PFS:HIGH::EC_P256:EC_HIGH
ii. ssl/client_ciphersuites = 150:PFS:HIGH::EC_P256:EC_HIGH

21
www.sap.com/contactsap

© 2017 SAP SE or an SAP affiliate company. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company.

The information contained herein may be changed without prior notice. Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors.
National product specifications may vary.

These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP or its affiliated companies shall not be liable
for errors or omissions with respect to the materials. The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty statements
accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.

In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or any related presentation, or to develop or release any functionality
mentioned therein. This document, or any related presentation, and SAP SE’s or its affiliated companies’ strategy and possible future developments, products, and/or platform directions and functionality are
all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason without notice. The information in this document is not a commitment, promise, or legal obligation
to deliver any material, code, or functionality. All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ materially from expectations. Readers are
cautioned not to place undue reliance on these forward-looking statements, and they should not be relied upon in making purchasing decisions.

SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other
countries. All other product and service names mentioned are the trademarks of their respective companies. See http://www.sap.com/corporate-en/legal/copyright/index.epx for additional trademark
information and notices.