Dutch Tax BAPI Support Changing to KPN Certificates (2012)

Dutch Tax BAPI Support Changing to KPN Certificates (2012)

  • Comments 8

UPDATE!

There have been some changes from the tax authorities since this post. For information about the changes, see Changes in Dutch Tax BAPI Support - Part 2.

INTRODUCTION

Electronic communication with the Dutch Tax administration is based on trusted connections using Digital Certificates. In 2011 an incident has occurred with Diginotar, one on the Certificate Authorities (CA), resulting in a situation that an infiltrator was able to create new certificates on his own for every random domain. This made the whole certificate-based environment unsecure and required facilities to make sure that trusted digital communication remains possible in the future.

The Dutch Tax administration evaluated the different existing communication channels and decided to phase out one of these channels: BAPI-PIN. It has also been decided to no longer use Diginotar certificates but to give KPN (Getronics) the role as the Certificate Service Provider (CSP) for the future.

SUBMITTING VAT AND ICP DECLARATIONS USING MICROSOFT DYNAMICS NAV

You can choose to submit VAT and or ICP to the Dutch Tax Authority by manually filling in a web form (www.belastingdienst.nl). There is a limit however for the ICP declaration. The website allows a maximum of 99 lines to be entered manually. An ICP Declaration report can be printed from Microsoft Dynamics NAV to use as a guideline. 

Microsoft Dynamics NAV supports the BAPI channel electronic communication. Within the BAPI channel both PIN and PKI method are possible by Microsoft Dynamics NAV.

PIN is the public key method and mostly used within the Microsoft Dynamics NAV community. For this method you only need the certificates from the Tax authorities and CSP. To get these you have to fill in the fields on tab Certificates of the ‘Elec. Tax Declaration Setup’ page and get the certificates by the function ‘Get CA Tax Auth. Certificates’. The certificates for the PIN method can be acquired at no cost.

PKI is the private key method. This method uses user certificates for encrypting the message and providing a digital signature. For PKI 4 different types of certificates are needed:

  • certificate from the tax authority (same as for PIN method)
  • CSP certificate. This will be used to check the certificates (same as for PIN method).
  • user certificate to encrypt the message (E-certificate)
  • user certificate for digital signature (DS-certificate/Authentication certificate)

A company has to buy the user certificates. On the KPN site you will find all this information.

TIMELINE

With respect to PIN and PKI the following timeline has been set by the Tax authorities (latest communication in Feb 2012):

  • BAPI PIN: will be phased out by 1-1-2013 for all process flows (VAT, ICP, etc)
  • BAPI PKI: will remain. The certificates of Diginotar need to be replaced before 1-6-2012 by the certificates of the KPN. Until 1-6-2012 it will still be possible to use the Diginotar certificates. The tax authorities urge not to wait until the last day with changing certificates.

MICROSOFT DYNAMICS NAV AND BAPI PIN

In order to continue using PIN until 2013 you will need to change the certificate settings to KPN before June 2012.

To realize this, please change the following settings in the “Electr. Tax Declaration Setup” under the “Certificates” Fast TAB (production environment parameters). Make sure you have no ongoing declarations.

  • Directory LDAP server:

ldap.kpnbapi.managedpki.com:389

  • CA certificate search string:

CN=KPN Corporate Market Tax CA G2,O=KPN Corporate Market BV,C=NL

  • Tax Auth. Cert. Search string:

CN=Belastingdienst,OU=Servercertificaat E - zie CPS,L=Apeldoorn Joost van den Vondellaan 14 (0000),O=Belastingdienst (2000000002),C=NL

No need to change other settings. After that you can renew the certificate by using the function “Get CA Tax Auth. Certificates” and do your normal submissions again.

For testing purposes you can use the following test environment parameters (you should have a test account at Tax Authorities):

  • Directory LDAP server:

ldap.testkpnbapi.managedpki.com:389

  • CA certificate search string:

CN=KPN Corporate Market Tax TEST CA G2,O=KPN Corporate Market BV,C=NL

  • Tax Auth. Cert. Search string:

CN=TEST Belastingdienst,OU=Servercertificaat E - zie CPS,L=Apeldoorn Joost van den Vondellaan 14 (0000),O=Belastingdienst (2000000002),C=NL

MICROSOFT DYNAMICS NAV AND BAPI PKI

If you are using the PKI method to submit the declarations, then you will need to ask for a (re)new(al) certificate at KPN. The Tax Authorities have already informed the users of PKI certificates on this process. Microsoft needs to investigate if Microsoft Dynamics NAV is able to work with KPN certificates under which conditions.

Tests for requesting KPN PKI certificates and submitting declarations are in process at the moment. You will be informed in a timely manner what changes are needed.

-Coen Overgaag

Leave a Comment
  • Please add 6 and 7 and type the answer here:
  • Post
  • It is not possible to get response messages. You get an error. Invalid password.

    How can i solve this problem?

  • Do not change the PIN settings before 1ste of june. TAX authoritie will communicatie in the respons message with de "old" certificate and NAV can not handle this!!!

  • If you get an error message "Cannot find connection name, LDAP0074" as you run the function ‘Get CA Tax Auth. Certificates’, then please check version of bapi.dll and cl32.dll. Usually update of BAPI helps you to avoid this error message.

  • Can Ms Dynamics NAV already request & import new KPN BAPI PKI-certificates?

    My Solution Centre is telling me I first need to switch to the PIN method, because Microsoft is telling them to do so. Is this correct?

  • After renewing the certificate (since jun 1) and sending the 'aangifte'  it is still not possible to get response messages. The TAX authoritie is now using the new certificate.

    How can i solve this problem?

  • For those in need of bapi.dll and cl32.dll: partners should register at http://www.oswo.nl (Community portal for software developers at Belastingdienst). You can download the lastest version here. This portal also gives possibility to analyse eVat problems.

  • When I try to get the certificate I receive the error 'Error during LDAP authentication, Ongeldige DN-syntaxis (34)'. Who can I solve this?

  • "Error during LDAP authentication, Ongeldige DN-syntaxis (34)" OSWO told us to delete the username and password. These are not needed when connecting to the KPN LDAP-server.

    We use ICP by PIN. With the settings above and the new dll's it worked again.

Page 1 of 1 (8 items)