CryptoSys Home >
FirmaSAT >
Command-line utility
The FirmaSAT command-line utility is provided by
the executable FirmaSAT.exe. This file needs to be in your search path.
It is installed by default in the %ProgramFiles(x86)%\FirmaSAT directory
(or %ProgramFiles%\FirmaSAT on a 32-bit platform).
You must have installed the FirmaSAT library on your system.
If the program does not work, try the LIBINFO test described in
How to get started.
For XML validation problems, see Troubleshooting.
To make the output display properly on the Windows console, see change the console font and code page.
When installing, you have the option to add FirmaSAT.exe to the PATH variable.
Select Add FirmaSAT.exe to PATH variable when installing.
This means it will be available to call from any command-prompt window without using the FirmaSAT-open menu option.
command prompt into "Search programs and files"C:\Users\username>firmasat FirmaSAT.exe v10.60.0 (Oct 1 2023 15:14:21). --Using core diFirmaSAT2.dll version 106051 (Mar 20 2024 16:43:07) Usage: FirmaSAT ACTION [OPTIONS] [-o outfile] [-i] infile For help type ``FirmaSAT HELP [KEYWORD]'' (en espanol ``FirmaSAT AYUDA'') For options ``FirmaSAT HELP-OPTIONS'' (en espanol ``FirmaSAT AYUDA-OPCIONES'')
See also Open a command-line console in a given directory below.
The two most important commands are
> FirmaSAT HELP Usage: FirmaSAT ACTION [OPTIONS] [-o outfile] [-i] infile ACTION (one of): ASCIIFY = Replace non-ASCII characters with XML character references. ATTRIBUTE = Extract a given attribute from XML file. CERTSTRING = Get the certificate data as a base64 string. EXTRACTDIGEST = Extract the digest from the signature. FORMDIGEST = Form the digest of the pipestring. GETKEYSTRING = Get the private key as a base64 string. HELP = Display this help. HELP-OPTIONS = Display help for options. INSERTCERT = Insert certificate details into XML file. KEYCHECK = Check that key matches certificate. LIBINFO = Display core native DLL library details. MAKESIG = Make signature from XML file. NEWKEY = Save key file with a new password. NUMBERCERT = Get the certificate serial number. PIPESTRING = Make pipestring (cadena) from XML file. QUERYCERT = Query a certificate for a given value (use -q option). RECEIPTVERSION = Get receipt version number or file ID. SIGNXML = Create the signature and set `sello` field in XML file. UTF8FIX = Add UTF-8 byte-order mark to a file. UUID = Generate a Universally Unique IDentifier (UUID). VERIFYSIG = Verify the signature in XML file. WRITEPFX = Create PFX file from private key and certificate. XMLOK = Validate structure of XML file. For help type ``FirmaSAT HELP [KEYWORD]'' (en espanol ``FirmaSAT AYUDA'') For options ``FirmaSAT HELP-OPTIONS'' (en espanol ``FirmaSAT AYUDA-OPCIONES'')
> FirmaSAT HELP-OPTIONS
Usage: FirmaSAT ACTION [OPTIONS] [-o outfile] [-i] infile
OPTIONS:
-a <attribute-name> required for ATTRIBUTE action
-b process Big files with SIGNXML/VERIFYSIG/FORMDIGEST/MAKESIG
-c <certfile> X.509 certificate for VERIFYSIG/SIGNXML/INSERTCERT
-d show Debug info; -dd show more
-e <element-name> required for ATTRIBUTE action
-f act on tfd:TimbreFiscalDigital node instead of document root element
-k <keyfile> required for SIGNXML/KEYCHECK/MAKESIG/NEWKEY
-l (letter 'ell') use Loose XML restrictions with XMLOK (default=strict)
-m output in PEM textual format with GETKEYSTRING/NEWKEY/WRITEPFX
-r output in DER binary format with WRITEPFX
-n <newpassword> new password for WRITEPFX/NEWKEY
-p <password> required for <keyfile>
-q <query> required for QUERYCERT where <query> is one of
{rfc|orgName|notAfter|notBefore|serialNumber|sigAlg|keySize}
-s <statusfile> default=none; for stdout use ``-s @''
-t <tracking-info> optional info for the status file
-x eXclude BOM in output file with SIGNXML
-y output XML using emptY-element tags with SIGNXML
For help type ``FirmaSAT HELP [KEYWORD]'' (en espanol ``FirmaSAT AYUDA'')
For options ``FirmaSAT HELP-OPTIONS'' (en espanol ``FirmaSAT AYUDA-OPCIONES'')
> FirmaSAT AYUDA Uso: FirmaSAT ACCION [OPCIONES] [-o outfile] [-i] infile ACCION (uno de): ASCIIFY = Reemplazar caracteres no ASCII con referencias de caracteres XML. ATTRIBUTE = Extracto de un determinado atributo de archivo XML. CERTSTRING = Obtener los datos del certificado de cadena de un Base64. EXTRACTDIGEST = Extraer el digestion de la firma. FORMDIGEST = Formulario el digestion de la cadena. GETKEYSTRING = Obtener la clave privada en forma de cadena base64. AYUDA = Muestra esta ayuda (mi aerodeslizador esta lleno de anguilas!). AYUDA-OPCIONES = Pantalla de ayuda para las opciones de. INSERTCERT = Insertar detalles de certificado en un archivo XML. KEYCHECK = Comprobar que el certificado partidos clave. LIBINFO = Mostrar detalles de la DLL. MAKESIG = Hacer firma de archivo XML. NEWKEY = Guardar archivo clave con una nueva contrasena. NUMBERCERT = Obtener el numero de serie de certificados. PIPESTRING = Hacer cadena de archivo XML. QUERYCERT = Consultar un certificado para un valor dado (uso -q opcion). RECEIPTVERSION = Obtener el numero de version de comprobante o archivo de ID. SIGNXML = Crear la firma y establecer el `sello` de campo en el archivo XML. UTF8FIX = Anadir un UTF-8 marca de orden de bytes en un archivo. UUID = Generar un UUID. VERIFYSIG = Verificar la firma en el archivo XML. WRITEPFX = Crear el archivo PFX de clave privada y certificado. XMLOK = Validar la estructura del archivo XML. Para obtener ayuda, escriba ``FirmaSAT AYUDA'' (en Ingles ``FirmaSAT HELP'') Para opciones ``FirmaSAT AYUDA-OPCIONES'' (en Ingles ``FirmaSAT HELP-OPTIONS'')
> FirmaSAT AYUDA-OPCIONES
Uso: FirmaSAT ACCION [OPCIONES] [-o outfile] [-i] infile
OPCIONES:
-a <nom-atributo> requerido para la accion ATTRIBUTE
-b procesar grandes archivos con SIGNXML/VERIFYSIG/FORMDIGEST/MAKESIG
-c <archivo-cert> especifique el certificado X.509
-d mostrar informacion de Depuracion; -dd mostrar mas
-e <nom-elemento> requerido para la accion ATTRIBUTE
-f actuar en el nodo tfd:TimbreFiscalDigital en lugar del elemento raiz
-k <archivo-llave> requerido para SIGNXML/KEYCHECK/MAKESIG/NEWKEY
-l (letra 'L') utilizar restricciones XML sueltas con XMLOK: (defecto=strict)
-m salida en formato textual PEM con GETKEYSTRING/NEWKEY/WRITEPFX
-r salida en formato binario en WRITEPFX
-n <nue-contrasena> contrasena nueva para WRITEPFX/NEWKEY
-p <contrasena> requerido para <archivo-llave>
-q <query> requerido para QUERYCERT donde <query> es uno de
{rfc|orgName|notAfter|notBefore|serialNumber|sigAlg|keySize}
-s <archivo-estado> por defecto=ninguno; para usar stdout ``-s @''
-t <tracking-info> seguimiento del Info. opcional para el archivo de estado
-x eXcluir BOM en archivo de salida con SIGNXML
-y XML de salida usando las etiquetas de elementos vacios con SIGNXML
Para obtener ayuda, escriba ``FirmaSAT AYUDA'' (en Ingles ``FirmaSAT HELP'')
Para opciones ``FirmaSAT AYUDA-OPCIONES'' (en Ingles ``FirmaSAT HELP-OPTIONS'')
All action names and options are case-insensitive. To display the syntax, type ``FirmaSAT HELP''. En español, escriba ``FirmaSAT AYUDA''.
The name of the output file must be specified with the -o option.
As an option, you can specify the name of a tracking file (using the -s option) which will contain the results of the operation. This can be used for tracking automated procedures.
To get help on an individual action type ``FirmaSAT HELP <action-name>``. For example
>FirmaSAT HELP EXTRACTDIGEST
FirmaSAT EXTRACTDIGEST [-c <certfile>] [-f] <xmlfile>
Extracts the message digest from the signature ('sello') in file <xmlfile>.
* Use the `-c` option to specify a separate X.509 certificate for the public
key [default = use embedded certificate]
* Use the `-f` option to extract the digest from the TFD element, if present.
Requires `-c <certfile>` of the signer
En espanol: Extractos del resumen del mensaje de la firma ('Sello') en un
archivo XML.
To see the detailed help on all the actions type ``FirmaSAT HELP HELP``.
[New in v10.70.0]
FirmaSAT now handles unencrypted PKCS#8 key files
("private key") as well as the usual encrypted form ("encrypted private key").
To use an unencrypted key file, pass an empty string for the password -p "" in the command line.
To save an encrypted key file in unencrypted form, see NEWKEY Command.
FirmaSAT ASCIIFY <xmlfile> Replaces any non-ASCII characters in <xmlfile> with XML character references. * The output contains only US-ASCII characters and can safely be used as input to other functions without concern for character encoding issues. En espanol: Reemplazar caracteres no ASCII con referencias de caracteres XML.
FirmaSAT ASCIIFY ejemplo.xml
will replace any non-ASCII characters in the input file by its XML character reference. For example, the character "é" will be replaced by the character reference "é".
FirmaSAT ATTRIBUTE -a <attrname> -e <elemname> [-1] <xmlfile> Extracts the value of attribute <attrname> from the first element <elemname> in the XML file <xmlfile> * Write `elemname[N]` to specify the Nth element with name `elemname` * Use `-1` option (number 'one') to encode output in Latin-1 [default=UTF-8] En espanol: Extractos atributo de datos desde un archivo XML.
Examples.
FirmaSAT ATTRIBUTE -d -a Sello -e Comprobante -i cfdi-signed-tfd.xml
will extract the attribute 'Sello' from the element `Comprobante` in the input XML file. The output should look similar to this:
Attribute=[Sello] Element=[Comprobante] e44Oi5xd3bkA1lp1Y/i4AqxyAYfRDNeHkVTDUtS8D9Y4XlJRrlRaeIGSCqMhtLB1zLia4tgGG4gs8OKS 4Ul4wOAMhzG61WAt4XMEonLXWafS7+o/v0snELlA8/dA1rTbZiD5KmKt9kOAqymiinjHn4XozEfdS4sy H+Dj4Xji/nU=
The -d option outputs additional debugging information, in this case the given Attribute and Element values.
Use the notation `elementname[N]` to specify the N'th element with name `elementname` in the XML document,
where N=1,2,3,..., or use an XPath expression.
FirmaSAT ATTRIBUTE -d -a Descripcion -e Concepto[2] -i cfdi-base.xml
will extract the attribute `descripcion` from the second element `Concepto` in the input XML file. The output should look like this:
Attribute=[descripcion] Element=[Concepto[2]] ALUMINIO
Setting -e "" will output the named attribute from the root element of the XML document. Setting both -e "" and -a "" will output the name of the root element itself. For example.
FirmaSAT ATTRIBUTE -a "" -e "" Ejemplo_Retenciones-base.xml FirmaSAT ATTRIBUTE -a "Version" -e "" Ejemplo_Retenciones-base.xml
retenciones:Retenciones 1.0
FirmaSAT CERTSTRING <certorxmlfile> Gets the certificate data from <certorxmlfile> as a base64 string. * The output is a continuous string of base64 characters suitable for the content of a `sello` element. En espanol: Obtiene los datos del certificado como una cadena base64.
FirmaSAT CERTSTRING emisor.cer
will form the certificate string from the X.509 certificate file in the required base64 format to insert in the 'Certificado' node. The output should look similar to this:
MIIEdDCCA1ygAwIBAgIUMjAwMDEwMDAwMDAxMDAwMDU4NjcwDQYJKoZIhvcNAQEFBQAwggFvMRgwFgYD VQQDDA9BLkMuIGRlIHBydWViYXMxLzAtBgNVBAoMJlNlcnZpY2lvIGRlIEFkbWluaXN0cmFjacOzbiBU ... +V/sPMzWWGt8S1yjmtPfXgFs1t65AZ2hcTwTAuHrKwDatJ1ZPfa482ZBROAAX1waz7WwXp0gso7sDCm2 /yUVww==
The DATENOTAFTER command is obsolete and has been removed in version 5.2.0.
Better: Use the QUERYCERT Command with -q notAfter or -q notBefore.
FirmaSAT EXTRACTDIGEST [-c <certfile>] [-f] <xmlfile>
Extracts the message digest from the signature ('sello') in file <xmlfile>.
* Use the `-c` option to specify a separate X.509 certificate for the public
key [default = use embedded certificate]
* Use the `-f` option to extract the digest from the TFD element, if present.
Requires `-c <certfile>` of the signer
En espanol: Extractos del resumen del mensaje de la firma ('Sello') en un
archivo XML.
FirmaSAT EXTRACTDIGEST cfdi-signed-tfd.xml
The EXTRACTDIGEST action will automatically recover the digest in whichever form it was created - either SHA-1 or SHA-256. In this example the signature was created using SHA-256, so the output will have 64 hex characters:
7D3E8D061E305286BA5739F546DF176250C43EE920436103E913485B14A30072
TFD option.
Use the -f option to extract the message digest from the selloSAT signature in the TimbreFiscalDigital (TFD) element, if present.
You must specify the filename of the PAC's certificate used to sign the TFD.
This certificate must have the same serial number as that given in the noCertificadoSAT node.
FirmaSAT EXTRACTDIGEST -f -c pac.cer cfdi-signed-tfd.xml
633653499AF0D0C1CD180B6F264DE8DA45B64A48C09B64AF6FDEC6CC492D3732
FirmaSAT FORMDIGEST [-f|-b] [-g <hashalg>] <xmlfile>
Computes the message digest of pipe string ('cadena') in XML file <xmlfile>.
* Use the `-f` option to compute the digest of the TFD element, if present.
* Use the `-b` option to speed up processing of big files (not TFD).
* Use the `-g` option to force the hash algorithm `SHA1` or `SHA256`.
En espanol: Calcula el resumen del mensaje de la secuencia de la pipa
('Cadena') de un archivo XML
FirmaSAT FORMDIGEST cfdi-signed-tfd.xml
will form the pipe string from the XML file and then compute its message digest in hex form. The message digest algorithm defaults to the correct algorithm for the XML version: SHA-256 for CFDI v4. The output should look like this:
7d3e8d061e305286ba5739f546df176250c43ee920436103e913485b14a30072
TFD option.
Use the -f option to compute the message digest of the pipe string of the TimbreFiscalDigital (TFD) element, if present.
FirmaSAT FORMDIGEST -f -c pac.cer cfdi-signed-tfd.xml
633653499af0d0c1cd180b6f264de8da45b64a48c09b64af6fdec6cc492d3732
FirmaSAT GETKEYSTRING -p <password> [-m] <keyfile> Gets the private key data from the encrypted <keyfile> as a base64 string. * The default output is a continuous string of base64 characters containing the _unencrypted_ private key. * Use the `-m` option to output _encrypted_ private key in PEM format. En espanol: Obtiene los datos de la clave privada en forma de cadena base64.
FirmaSAT GETKEYSTRING -p 12345678a emisor.key
will form the private key from the encrypted private key file in the required base64 format to insert in the `llaveCertificado` element of a `Cancelacion` XML document. The output will be a continuous string of base64 characters like this:
PFJTQUtleVZhbHVlPjxNb2R1bHVzPnRrMDBFanpqUVRsY2FWNy9jQzJLUEkzc3dhMjkrSXY3UzhmSXhu YmNzdHV3WEhyRG1yOW5OVFV2eG5iOWRMdlVwRnJjSGN0K0xrUUZYdXg5R3QxVEVTeHdKTDZkcWpBaDJt WE9FL0pPT3liVy9jS3poSWYxeFV2QzRFK011VGtHS09uSXIzMTEzWmI4VmxQNEhUUDN1aU5wWU9oUnFL ... QjZvUFVJNS93WHNQd29XZ3dNTHd4cXFXMVh6bm1aRmJoZCtvYW5ZTDE0ZUp3OXp6aTU2RjNMWUU9PC9E PjwvUlNBS2V5VmFsdWU+
Use the -m option to output the encrypted private key in PEM format
FirmaSAT GETKEYSTRING -m -p 12345678a emisor.key
-----BEGIN ENCRYPTED PRIVATE KEY----- MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIV+FZR/7E9+8CAggA MBQGCCqGSIb3DQMHBAgiwhoDhotSegSCAoDi82IsNHCEL07pbLApGWi9yUN2uLoV ... Ox4CqKB637nTnBgTrWrrOxGhivYSr2sogItw35uqu5IM6scuvNmzes8Wv0lYn/R3 rSv7cvOWTxqFfT0Tw5Y+c5ypauUSDyY6TQVB9qPf3Wwl0QP20sEY4exP -----END ENCRYPTED PRIVATE KEY-----
FirmaSAT INSERTCERT -c <certfile> <xmlfile> Inserts certificate information into an XML document. En espanol: Insertar detalles de certificado en un archivo XML.
FirmaSAT INSERTCERT -c emisor.cer -o cfdi-addedcerts.xml cfdi-base-nocertnum.xml
will insert the certificate details (NoCertificado and Certificado)
from emisor2048.cer into the new file cfdi-addedcerts.xml.
FirmaSAT KEYCHECK -k <keyfile> -p <password> <certorxmlfile> Verifies that the public key in <certorxmlfile> matches the private key in <keyfile> with password <password>. * The file <certorxmlfile> can be an X.509 certificate or an XML document with an embedded 'sello' certificate. En espanol: Comprueba que la clave publica en un certificado X.509 coincida con la clave privada.
FirmaSAT KEYCHECK -k emisor.key -p 12345678a emisor.cer
checks that the private key in `emisor.key` matches the public key in the certificate file `emisor.cer`. The private key and password are given as options using "-k" and "-p", respectively. The output in this case should be
OK
You can also use the certificate embedded in the 'Certificado' node of an XML document.
FirmaSAT KEYCHECK -k emisor.key -p 12345678a cfdi-signed.xml
FirmaSAT LIBINFO
If correctly installed, the output should be similar to:
FirmaSAT.exe v10.60.0 (Oct 1 2023 15:14:21). Library diFirmaSAT2: Version: 106051 Module: C:\WINDOWS\SYSTEM32\diFirmaSAT2.dll Platform: Win32 Compiled: Mar 20 2024 16:43:07 Licence: D Comments: Licensed Developer Edition | Edicion de Desarrollador Licenciado.
FirmaSAT MAKESIG -k <keyfile> -p <password> [-f|-b] <xmlfile>
Creates the signature as a base64 string from data in <xmlfile> using the
private key in <keyfile>.
* The output can be inserted as a 'sello' node.
* Use the `-f` option to create the signature ('selloSAT') of the TFD element,
if present. This assumes you have a suitable PAC signing key.
* Use the `-b` option to speed up processing of big files (not TFD).
En espanol: Crea la firma como una cadena base64 partir de los datos en un
archivo XML listo para ser insertado como un 'Sello' sobre el terreno.
FirmaSAT MAKESIG -k emisor.key -p 12345678a cfdi-base.xml
will create the signature 'Sello' from the input XML file using the private key and password provided. The output should be similar to
e44Oi5xd3bkA1lp1Y/i4AqxyAYfRDNeHkVTDUtS8D9Y4XlJRrlRaeIGSCqMhtLB1zLia4tgGG4gs8OKS 4Ul4wOAMhzG61WAt4XMEonLXWafS7+o/v0snELlA8/dA1rTbZiD5KmKt9kOAqymiinjHn4XozEfdS4sy H+Dj4Xji/nU=
TFD option.
Use the -f option to create the signature (`selloSAT`) of the TimbreFiscalDigital (TFD) element, if present.
You must specify the filename of the key file and its password.
This assumes you are a PAC and have an appropriate signing key and certificate.
You will need to manually cut-and-paste this result into the selloSAT node
and set the noCertificadoSAT node.
FirmaSAT MAKESIG -f -k pac.key -p 12345678a cfdi-signed-tfd.xml
dLgHwkvdIryil62XOVmHq74dUv+dg31vX80GYwflxXalKu313cVIwbkPdN21UZlz1l97UYxc/V5WfEiz NAGVz58WxS1mPdR0GFiHQGTf5baHXHlYcrRcsMYgJHWEshFPLOWVh3ULdGD8T+L6509Fu7njzPD7Pr6x /T8wobZUMmI=
FirmaSAT NEWKEY [-m] -k <keyfile> -p <password> -n <newpassword> \ -o <outfile> Save key file with a new password. * <keyfile> input key file. * <password> password for existing <keyfile>. * <newpassword> password for new keyfile. * <outfile> new file to be created [required]. * Use the `-m` option to output key in PEM format.
FirmaSAT NEWKEY -k emisor.key -p 12345678a -n 87654321b -m -o emisor_new-key.pem
will create a new key file emisor_new-key.pem encrypted using the new password "87654321b".
In this case, the -m option saves the file in textual PEM format ("ENCRYPTED PRIVATE KEY").
FirmaSAT NEWKEY -k emisor.key -p 12345678a -n "" -o emisor.p8
will create a new unencrypted key file emisor.p8.
CAUTION: saving your private key in unencrypted form is a big security risk.
FirmaSAT NUMBERCERT <certorxmlfile> Gets the serial number of the X.509 certificate in ''special'' SAT format. * The output should be a string of exactly 20 decimal digits. * <certorxmlfile> may be an XML file with an embedded certificate. En espanol: Obtiene el numero de serie del certificado X.509 en ''especial'' SAT formato.
FirmaSAT NUMBERCERT emisor.cer
will extract the serial number directly from a X.509 certificate file. The output should look like this:
20001000000100005867
FirmaSAT NUMBERCERT cfdi-signed-tfd.xml
will extract the serial number from the X.509 certificate embedded in the 'Certificado' node of the XML file. The output should look like this:
20001000000100005867
FirmaSAT PIPESTRING [-1] [-f] [-o <outfile>] <xmlfile>
Creates the ''pipe-string'' (Cadena Original) from XML document <xmlfile>
* Use the `-1` (number one) option to encode the output in Latin-1
[default=UTF-8]
* Use the `-f` option to create the 'Cadena Original del Timbre Fiscal Digital
del SAT', the pipe string of the TFD element, if present.
* Use the `-o` option to output to a text file <outfile> (recommended).
En espanol: Crea la secuencia de la pipa ('cadena') de un archivo XML.
FirmaSAT PIPESTRING cfdi-base.xml
will output the "pipe-string" (cadena original) to the console, e.g.
||3.3|A|1|2012-07-07T16:30:00|1|2010|ingreso| ...etc... |150.00|150|IVA|15.00|52.50||
Note that non-ASCII characters will not display properly on the console. It is better to output directly to a file and use a UTF-8-compatible text editor.
FirmaSAT PIPESTRING -i cfdi-base.xml -o pipedstring.txt
TFD option.
Use the -f option to create the "pipe-string" of the TimbreFiscalDigital (TFD) element, if present.
This is the Cadena original del Complemento de Certificación.
FirmaSAT PIPESTRING -f cfdi-signed-tfd.xml
||1.0|B3D02A7F-C07A-4C72-B7D4-6B70BB2BB3D4|2014-01-15T20:41:18|iJw36avvTScTbBqRh QhxoRQo6EfBK8FeQv46KJBCX8rzf/iix8COB+Nm8/dW2zJcSbhH+AWCicrAkKik/Zq0mW1QWtUxrqCJ9 PsY7V9TMvhFFj3JqykfoDM+QAzgNIj9+x4M4Ehvddb2nMe7JCJaflo9C0sO41bSFdNI22iq6Dc=|2000 1000000100005761||
FirmaSAT QUERYCERT -q <query> <certorxmlfile> Queries the X.509 certificate <certorxmlfile> for the value <query> * where <query> is one of: `notAfter` Get certificate expiry date `notBefore` Get certificate start date `orgName` Get organization name of issuer (expecting SAT) `companyName` Get organization name of subject (your company name) `rfc` Get RFC of subject (12 or 13 characters) `serialNumber` Get decoded serial number (20 decimal digits) `sigAlg` Get algorithm used to sign certificate `keySize` Get size in bits of public key (eg "2048") * <certorxmlfile> may be an XML file with an embedded certificate. En espanol: Busquedas un certificado X.509 para un valor dado.
FirmaSAT QUERYCERT -q rfc emisor.cer
will extract the subject's RFC number, if available, from a X.509 certificate file. The output in this case should look like this:
AAA010101AAA
FirmaSAT QUERYCERT -q organizationName cfdi-signed-tfd.xml
will extract the issuer's organizationName from the X.509 embedded in the 'Certificado' node of the XML file. The output in this case should look like this:
Servicio de Administración Tributaria
FirmaSAT RECEIPTVERSION <xmlfile> Gets the version number of the XML document <xmlfile>. * Outputs 40, 33 or 32 for a <Comprobante> document with version attribute '4.0', 3.3' or '3.2' respectively; or 101x or 102x for a <Retenciones> document with version '1.x' or 2.x respectively; 201x for a Contabilidad document version 1.x; 401x for a <ControlesVolumetricos> document version '1.x'; else returns an error. En espanol: Obtener el numero de version del documento XML.
FirmaSAT RECEIPTVERSION cfdv40-ejemplo.xml
will output a number indicating the value of the Comprobante/@Version attribute or the ID for other document types.
In the above example the output should be
40
FirmaSAT RECEIPTVERSION retenciones20-ejemplo.xml
1020
FirmaSAT SIGNXML -k <keyfile> -p <password> [-c <certfile>] [-x] [-y] [-b] -o <outfile> <xmlfile> Signs the XML file <xmlfile> creating a new file <outfile> signed using the private key in <keyfile> with password <password>, adding X.509 certificate details from optional <certfile>. * Use the `-x` option to create an output file that does _not_ have a UTF-8 byte order mark (BOM) [default=add BOM]. * Use the `-y` option to create an output file using single empty element tags <foo/> instead of the default two-tag form <foo></foo>. * Use the `-b` option to speed up processing of big files (not TFD). En espanol: Senales de un archivo XML. Crea la firma y se establece el `sello` de nodo en un archivo XML.
FirmaSAT SIGNXML -s @ -k emisor.key -p 12345678a -c emisor.cer -i cfdi-base.xml -o cfdi-signed.xml
will create a new signed XML file `cdfi-signed.xml` from the input XML file
`cfdi-base.xml`. It will sign using the private key in `emisor.key` with password `12345678a`
and will add the 'Certificado' details from the X.509 certificate file `emisor.cer`.
The -s @ option outputs a status message to stdout.
It is an error if the certificate and key do not match. Be careful hard-coding your password.
A version 4.0 CFDi document must have the "NoCertificado" attribute completed with the correct certificate serial number before attempting to sign.
<cfdi:Comprobante xmlns:cfdi="http://www.sat.gob.mx/cfd/4" version="4.0" ... NoCertificado="30001000000100000800" Certificado="" Sello="" ...>
Use the -x option to create an output file that does not have a UTF-8 byte order mark (BOM).
Use the -y option to create an output file using single empty-element tags
<foo/> instead of the default start-end tag pair form <foo></foo>.
Caution: this option will delete all XML comments and may affect formatting.
Use the -b option to speed up the processing of large files.
Caution: the output file must be different from the input file with this option.
FirmaSAT UTF8FIX [-o <outfile] <inputfile> Adds a UTF-8 byte-order mark (BOM) to existing file <inputfile>. * Use the `-o` option to output to new file <outfile> (recommended). * If the BOM already exists, it will just copy the file * If <inputfile> is not valid UTF-8, an error will occur. En espanol: Anade un byte UTF-8 marca de orden (BOM) a un archivo existente.
FirmaSAT UTF8FIX cfdi-base.xml cfdi-base_with_BOM.xml
will create a new signed XML file `cfdi-base_with_BOM.xml` with the required UTF-8 byte-order mark. If the BOM already exists, it will just copy the file. If the file is not valid UTF-8, then an error will occur.
FirmaSAT UUID
Example output (always different each time):
ea4ce835-de5d-4082-8475-47f8e531b254
FirmaSAT VERIFYSIG [-c <certfile>] [-f|-b] <xmlfile>
Verifies the signature ('sello') in file <xmlfile>.
* Use the `-c` option to specify a separate X.509 certificate for the public
key [default = use embedded certificate]
* Use the `-f` option to verify the 'selloSAT' signature in the TFD element,
if present. Requires `-c <certfile>` of the signer.
* Use the `-b` option to speed up processing of big files (not TFD).
* This just checks that the signature was created by the owner of
the private key corresponding to the X.509 certificate.
* CAUTION: Nothing else is checked: dates, certificate expiry, certificate
revocation, RFC number, validity of version at date of issue, etc.
En espanol: Comprueba la firma ('Sello') en un archivo XML.
FirmaSAT VERIFYSIG cfdi-signed-tfd.xml
will verify the signature in the signed XML file. In this case it will use the 'Certificado' details in the XML file itself.
OK
FirmaSAT VERIFYSIG cfdi-signed-nocert.xml
will try to verify the signature in the signed XML file. In this case, there is no 'Certificado' node in the XML file and an error will result:
Error code -8: The data is invalid/La data no es valida: X.509 certificate is invalid or not found/Certificado X.509 es valido o no encontrado
FirmaSAT VERIFYSIG -c emisor.cer cfdi-signed-nocert.xml
will use the certificate `emisor.cer` to verify the signature in the XML file. This should produce
OK
TFD option.
Use the -f option to verify the selloSAT signature in the TimbreFiscalDigital (TFD) element, if present.
You must specify the filename of the PAC's certificate used to sign the TFD.
This certificate must have the same serial number as that given in the noCertificadoSAT node.
FirmaSAT VERIFYSIG -f -c pac.cer cfdi-signed-tfd.xml
OK
FirmaSAT WRITEPFX [-m|-r] -k <keyfile> -p <password> -c <certfile> -n <newpassword> \ -o <outfile> Creates a PFX (PKCS-12) file in base64 format suitable for a Cancelacion. * <password> the password to the <keyfile>. * <keyfile> key file which _must_ match the X.509 certificate <certfile>. * <newpassword> password to open the new PFX file. * <outfile> new file to be created [required]. * Use the `-m` option to create a PEM textual file or use the `-r` option to create a DER-encoded binary PKCS12 file (default=plain base64). * CAUTION: giving this PFX file and its password to an untrusted third party is a major security risk. En espanol: Crea un PFX (PKCS-12) archivo en formato base64 adecuado para una cancelacion.
FirmaSAT WRITEPFX -o archivo_pfx.pem -n clavedesalida -k emisor.key -p 12345678a -c emisor.cer -s @
will create a PFX (PKCS-12) file in base64 format containing the user's private key and X.509 certificate encrypted with the new password "clavedesalida".
FirmaSAT XMLOK <xmlfile> Validates the XML document <xmlfile> against S.A.T. specifications. * This just checks that the XML document is well-formed. * Use this as a quick guide to find obvious errors: it may not catch all possible XML format errors that a strict XSD parser may find. En espanol: Valida un archivo XML contra S.A.T. especificaciones.
FirmaSAT XMLOK cfdi-signed-tfd.xml
will check that the input file is validly formed XML. The output in this case should be
OK
If the XML file is not validly formed, the output would be like:
Error code -27: Invalid XML format: XML Validation Error: Required attribute 'formaDePago' missing for element 'Comprobante' (Line: 2 Col: 311); ... etc ...
Note that this is merely checking that the XML formatting of the input file is OK. It does not verify the signature.
The default XMLOK performs strict tests on XML data types and lengths.
Use the -l option (lower case letter L for Lima) to do the looser tests that just check the XML structure.
For example.
FirmaSAT XMLOK cfdi-iedu-badcurp.xml
Error code -28: XML restriction is violated/XML restricción es violada: Bad attribute/atributo mal [iedu:instEducativas/@CURP]: 'JUAN01010101GTOHMD0' is too long/es demasiado largo, maximum length/longitud maxima=18
But this example is OK with the -l option (lowercase L for Lima)
FirmaSAT XMLOK -l cfdi-iedu-badcurp.xml
OK
The batch file DoTests.bat in the latest distribution carries a series of tests and catches any errors. The output should look like this.
FirmaSAT HELP
will display the usage syntax.
FirmaSAT AYUDA
will display the usage syntax in Spanish.
FirmaSAT LIBINFO
will display details about the program and the libraries it depends on.
FirmaSAT HELP <keyword>
will display more detailed help about <keyword>. For example:
FirmaSAT HELP PIPESTRING FirmaSAT HELP NUMBERCERT
FirmaSAT PIPESTRING [-1] [-f] [-o <outfile>] <xmlfile>
Creates the ''pipe-string'' (Cadena Original) from XML document <xmlfile>
* Use the `-1` (number one) option to encode the output in Latin-1
[default=UTF-8]
* Use the `-f` option to create the 'Cadena Original del Timbre Fiscal Digital
del SAT', the pipe string of the TFD element, if present.
* Use the `-o` option to output to a text file <outfile> (recommended).
En espanol: Crea la secuencia de la pipa ('cadena') de un archivo XML.
FirmaSAT NUMBERCERT <certorxmlfile>
Gets the serial number of the X.509 certificate in ''special'' SAT format.
* The output should be a string of exactly 20 decimal digits.
* <certorxmlfile> may be an XML file with an embedded certificate.
En espanol: Obtiene el numero de serie del certificado X.509 en ''especial''
SAT formato.
FirmaSAT HELP HELP
will display more detailed help all the keywords.
CAUTION:
You should never hard-code the password for your production private key anywhere.
You should always require the user to enter it each time.
Here is an example of
a simple batch file signit.bat that expects the password to be typed in as a parameter.
The names of the certificate and private key file are hardcoded.
@echo off :: Expecting filename as first parameter... if "%1"=="" GOTO NOFILE SET MYFILE=%1 :: Deal with optional password and prompt if not given... SET MYPWD=%2 if "%2"=="" set /P MYPWD=Enter password^> :: Check if 64-bit machine and set PROGRAMFILES accordingly... SET _pf=%PROGRAMFILES% IF NOT "%PROGRAMFILES(X86)%"=="" SET _pf=%PROGRAMFILES(X86)% REM ECHO %_pf% :: Create output filename FOR %%i IN (%MYFILE%) DO SET MYNEWFILE=%%~dpni-signed.xml :: Do the business... "%_pf%\FirmaSAT\FirmaSAT" SIGNXML -s @ -k emisor.key -p %MYPWD% -c emisor.cer -i %MYFILE% -o %MYNEWFILE% SET MYPWD= GOTO DONE :NOFILE echo ERROR: no filename echo USAGE: %0 filename [password] :DONE
Use a text editor to create a batch file signit.bat with the above text in it
(the file is also included in the distribution).
The syntax is SIGNIT filename [password].
As an example, type "signit cfdi-base.xml 12345678a" on the command line.
>signit cfdi-base.xml 12345678a STATUS: 0 ERRORDESCRIPTION: OK DATETIMECREATED: Tue Sep 25 19:33:09 2012
This will create the signed file cfdi-base-signed.xml.
Obviously, you could adapt this batch file to cope with your own key file and certificate.
Here is a cute way to open a command-line console in a given directory from Windows File Explorer.
Microsoft Windows [Version 10.0.19045.4170] (c) Microsoft Corporation. All rights reserved. C:\Scratch\test1>
To comment on this page, or for further information, please send us a message.
This page last updated 15 August 2025
