PFX Certificates
Every SUIT tenant needs a digital certificate (.pfx) from SUNAT to sign electronic documents. This guide covers how to obtain, prepare, and upload your certificate.
What is a PFX certificate?
Section titled “What is a PFX certificate?”A PFX (Personal Information Exchange) file, also known as PKCS#12, contains both your private key and public certificate in a single password-protected file. SUNAT issues these certificates to registered electronic invoice emitters.
Obtaining your certificate
Section titled “Obtaining your certificate”From SUNAT
Section titled “From SUNAT”- Log in to SUNAT Operaciones en Linea with your RUC and SOL credentials
- Navigate to “Certificado Digital”
- Follow the process to request a new certificate
- Download the
.pfxfile and save the password securely
From SUNAT-accredited certification authorities
Section titled “From SUNAT-accredited certification authorities”You can also obtain certificates from accredited providers such as:
- RENIEC
- Camerfirma
- WISeKey
- Otros autorizados por SUNAT
Uploading your certificate
Section titled “Uploading your certificate”Via API
Section titled “Via API”Convert your PFX file to Base64 and upload it:
# Step 1: Convert PFX to Base64base64 -w 0 your-certificate.pfx > certificate-base64.txt
# Step 2: Upload to SUITcurl -X PUT https://api.suit.pe/api/settings/certificate \ -H "Authorization: Bearer YOUR_JWT_TOKEN" \ -H "Content-Type: application/json" \ -d '{ "certificate": "PASTE_BASE64_CONTENT_HERE", "certPassword": "your_certificate_password" }'Converting PFX to Base64
Section titled “Converting PFX to Base64”Linux/macOS:
base64 -w 0 your-certificate.pfxWindows (PowerShell):
[Convert]::ToBase64String([IO.File]::ReadAllBytes("your-certificate.pfx"))Node.js:
const fs = require('fs');const pfx = fs.readFileSync('your-certificate.pfx');const base64 = pfx.toString('base64');console.log(base64);Python:
import base64
with open('your-certificate.pfx', 'rb') as f: encoded = base64.b64encode(f.read()).decode('utf-8') print(encoded)Certificate requirements
Section titled “Certificate requirements”| Requirement | Value |
|---|---|
| Format | PFX / PKCS#12 |
| Minimum key length | 2048 bits |
| Algorithm | RSA |
| Must be valid | Not expired |
| Issued by | SUNAT or accredited CA |
Testing with sandbox
Section titled “Testing with sandbox”For the sandbox environment (api-staging.suit.pe), you can use SUNAT’s test certificate. Contact the SUIT team for the test PFX file and password.
Certificate renewal
Section titled “Certificate renewal”Certificates expire periodically (usually every 1-3 years). When your certificate is about to expire:
- Obtain a new certificate from SUNAT
- Upload the new certificate using the same API endpoint
- The old certificate is automatically replaced
- Documents signed after the update will use the new certificate
Troubleshooting
Section titled “Troubleshooting”SIGN_ERROR status
Section titled “SIGN_ERROR status”If documents return SIGN_ERROR, check:
- The certificate is uploaded correctly (valid Base64)
- The certificate password is correct
- The certificate has not expired
- The certificate matches your RUC
Invalid certificate format
Section titled “Invalid certificate format”Ensure you are uploading a .pfx file, not a .cer or .pem file. If you have separate key and certificate files, combine them:
openssl pkcs12 -export \ -out certificate.pfx \ -inkey private-key.pem \ -in certificate.cer \ -certfile ca-chain.cer