Issues with Phase4 Testing Using Self-Signed Certificates for AS4 Message Exchange

[mohamedamineboughrara]

Hello Philip,

I’m currently testing phase4 with AS4 message exchange, setting up two local instances using self-signed certificates. My goal is to send test messages between these two instances without an official Peppol certificate. I followed the instructions in the phase4 documentation for testing without an official Peppol certificate, but I’m still encountering issues. Here’s a summary of the setup and the errors:

Steps I Followed:
Generated Self-Signed Certificates:
Created two self-signed certificate pairs (cert1 and cert2).
Created Keystores and Truststores:
Created ks1.p12 containing cert1 with alias "cert1" and ks2.p12 containing cert2 with alias "cert2".
Created a truststore that includes only the public certificates of cert1 and cert2.
Configured Phase4 Instances:
Configured the first instance with ks1.p12 and the shared truststore.
Configured the second instance with ks2.p12 and the shared truststore.
Attempted to Send a Test Message:
Used Phase4PeppolSender.Builder with .receiverEndpointDetails(X509Certificate, String) to specify the public AP certificate and endpoint URL of the receiver.
Issue Encountered:
When I try sending a message from one instance to the other, I get an error message stating that the certificate is not a valid Peppol certificate with an “UNSUPPORTED_ISSUER” check result. Here’s the relevant part of the log output:
The provided certificate is not a Peppol certificate. Check result: UNSUPPORTED_ISSUER

I verified that the certificates are correctly stored in the keystores and truststore. Despite following the steps, the system does not seem to recognize the self-signed certificates as valid for Peppol testing.

Could you please help me identify what might be going wrong here? I would greatly appreciate any insights or guidance on what additional configurations might be needed for this setup to work.

Thank you very much for your time and support!

[phax]

Thank you, you stumbled upon a detail missing in the documentation.
You also need to provide .checkReceiverAPCertificate (false) in your sender builder.

Please let me know if that helps, and I will update the guide.

[mohamedamineboughrara]

Hi Philip,

Thanks for the tip! Adding .checkReceiverAPCertificate(false) resolved the issue for my local testing. This would definitely be a helpful addition to the documentation for others setting up locally.

I also have a few questions about moving to a production setup as a service provider (like a C2). Specifically, I’m wondering what’s required to work with Peppol in terms of certificates and the use of SMP and SML. Would I need to run my own SMP server, like Phoss, on my infrastructure, or are there other options? Also, for e-invoicing processing, should the handling be done directly within the application, or is it possible to manage it externally with API calls?

Thanks again for your help .I appreciate any guidance on these next steps!

[phax]

Great to hear, that the suggestion worked. I already added it to the Wiki page.

Regarding the SMP: it is needed to register receiving capabilities. You can either run your own SMP or you can buy access to shared SMPs hosted by other Pepol Service providers. Setting up an SMP is technically not too difficult - see e.g. https://github.com/phax/phoss-smp/blob/master/docs/Setting%20up%20an%20SMP%20for%20Peppol.pdf
The SMP does all the communication to the SML which in turn writes into the DNS.

Regarding eInvoicing processing: the most common case is to separate "transformation", "validation" and "transmission" from each other. As you will be dealing with many formats according (transform) following different rules (validation) and using different networks (transmission), a clear separation will help you to scale in the long term.