AX 2012 supports submission of VAT and ICP declarations using the Digipoort services provided for Dutch companies.
However, the services only support the TLS 1.2 protocol, which is why you may see some errors in AX:
- “The private key is not present in the X.509 certificate”
- “Authentication failed because the remote party has closed the transport stream”
In order to troubleshoot this problem, we can use Microsoft Message Analyzer to track network traffic and determine the source of the errors.
Firstly, the prerequisites for using the Digipoort service are:
- Valid certificates. For more information please check: https://msdn.microsoft.com/en-us/library/dn757173(v=nav.90).aspx
- .NET Framework 4.5 or later – this is needed because a new enum value needs to be available in System.Security.Authentication.SslProtocols – Tls12. Please check: https://msdn.microsoft.com/en-us/library/system.security.authentication.sslprotocols(v=vs.110).aspx. The .NET assembly that defines this is System.dll, which is updated with a new framework version and is available even for programs compiled with an older version.
- Registry settings that force TLS 1.2 version to be used by the .NET Framework:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319] "SchUseStrongCrypto"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319] "SchUseStrongCrypto"=dword:00000001
To troubleshoot using Message Analyzer, you’ll need to monitor local traffic and check the TLS communication:
1. Install Message Analyzer: https://www.microsoft.com/en-us/download/details.aspx?id=44226
2. Run Message Analyzer and choose Start Local Trace
3. Check the IP address of the Digipoort endpoint (it can be either the production or pre-prod one)
ping dgp.procesinfrastructuur.nl
4. In Message Analyzer add a filter on the IP address: *address==144.43.253.21
5. Check the TLS “Client Hello” message:
6. In the Details pane, if the TLS version is 1.0, the Client is attempting to use the old version of the protocol and the server closes the connection right away (sending FIN flag in the next message).
To fix this, setting the registry value on the client should help.
7. If the connection is not closed right away, the server will request the client certificate. If the certificate is expired, the server aborts the connection with the Alert – certificate_expired:
8. To find more information about the certificate, you can check the details on the previous TLS message, sent from client to server:
In the Field Data pane, you can find the certification authority (the “Issuer” field) and expiry date (the “NotAfter” field). Using this information, as well as other fields displayed on that pane, you should find the expired certificate using the Certificates tool in Windows (certmgr.msc) and update it.