Send SII model to hacienda using cURL

Question

Send SII model to hacienda using cURL

Navigation

#1 by (2 votes)

2

I am completely desperate. I tried some time ago to find an answer using vba, and I did not get a solution.

I went back to the load trying to use cURL from the command line, but it does not work either. In this case, I am going to raise the whole process with CURL, which as I have been able to document, should work. But something escapes me, because I can not get the Treasury Web Service to receive my files

Export Certificate (.pfx)

In order to use the certificate, first of all you have to export it from my browser. For this, it can be done:

Chrome settings
- Manage certificates ...
  - Export the private key
    - Personal information exchange: PKCS # 12 (.PFX)
      - Include all certificates in the certification path (if possible)
      - Export all extended properties
    - Give password: 12345
    - Name the file: Certificate.pfx

Once this is done, I get a certificate in .pfx format

Convert certificate .pfx to .pem (OpenSSL)

This format is not valid for cURL. Therefore, it must be transformed to .pem before. And for that, everywhere they talk about OpenSSL. I downloaded version 1.0.21 25 May 2017 (consulted from command line) Certified Transformo:

--Importo certificado PEM (sin key)
C:\OpenSSL-Win64\bin\openssl.exe pkcs12 -in C:\VariasSII\Certificados\Certificado.pfx -out C:\VariasSII\Certificados\Certificado-CL.pem -clcerts -nokeys

--Importo KEY
C:\OpenSSL-Win64\bin\openssl.exe pkcs12 -in C:\VariasSII\Certificados\Certificado.pfx -out C:\VariasSII\Certificados\Certificado-KEY.pem -nocerts

--Importo CA (Esto en muchas partes no se usa. Lo tengo, y puedo ponerlo o no, aunque en cualquiera de los casos no me sirve para que funcione el envío
C:\OpenSSL-Win64\bin\openssl.exe pkcs12 -in C:\VariasSII\Certificados\Certificado.pfx -out C:\VariasSII\Certificados\Certificado-CA.pem -cacerts -nokeys

Shipping (using cURL)

Finally, with this instruction you should be able to send XML files to the Treasury:

curl --data C:\VariasSII\TEST.xml --output C:\VariasSII\respuesta.xml --cert C:\VariasSII\Certificados\Certificado-CL.pem --key C:\VariasSII\Certificados\Certificado-KEY.pem https://www7.aeat.es/wlpl/SSII-FACT/ws/fe/SiiFactFEV1SOAP

Answer cURL

The answer to this request is as follows:

<?xml version="1.0" encoding="UTF-8"?><env:Envelope 
xmlns:env="http://schemas.xmlsoap.org/soap/envelope/"><env:Body><env:Fault>
<faultcode>env:Client</faultcode><faultstring>Codigo[1304].No se permite 
contenido en el prólogo. (1,1)</faultstring><detail><callstack>XML no válido o mal formado
WSExcepcion [faultcode=null, detailMap=null, version=0, faultstring=No se permite contenido en el prólogo. (1,1), faultactor=null, faultSubCode=null, reasonText=null, detail=null, nameSpaceUriDetail=null]
at es.aeat.adws.jdit.imp.ws.WSFilterSrvImpl.verificarFirma(WSFilterSrvImpl.java:810)
at es.aeat.adws.jdit.imp.ws.WSFilterSrvImpl.doFilter(WSFilterSrvImpl.java:246)
at es.aeat.adws.jdit.api.ws.WSFilter.doFilter(WSFilter.java:24)
at com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterInstanceWrapper.java:207)
at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:91)
at es.aeat.adht.jdit.imp.infra.JDitFilterSrvImpl.filtroIni(JDitFilterSrvImpl.java:178)
at es.aeat.adht.jdit.imp.infra.JDitFilterSrvImpl.doFilter(JDitFilterSrvImpl.java:86)
at es.aeat.adht.jdit.imp.infra.JDitFilterSrvImpl.doFilter(JDitFilterSrvImpl.java:63)
at es.aeat.adht.jdit.api.filter.JDitFilter.doFilter(JDitFilter.java:24)
at com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterInstanceWrapper.java:207)
at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:91)
at com.ibm.ws.webcontainer.filter.WebAppFilterManager.doFilter(WebAppFilterManager.java:1021)
at com.ibm.ws.webcontainer.filter.WebAppFilterManager.invokeFilters(WebAppFilterManager.java:1143)
at com.ibm.ws.webcontainer.servlet.CacheServletWrapper.handleRequest(CacheServletWrapper.java:82)
at com.ibm.ws.webcontainer.WebContainer.handleRequest(WebContainer.java:934)
at com.ibm.ws.webcontainer.osgi.DynamicVirtualHost$2.run(DynamicVirtualHost.java:262)
at com.ibm.ws.http.dispatcher.internal.channel.HttpDispatcherLink$TaskWrapper.run(HttpDispatcherLink.java:958)
at com.ibm.ws.http.dispatcher.internal.channel.HttpDispatcherLink.wrapHandlerAndExecute(HttpDispatcherLink.java:357)
at com.ibm.ws.http.dispatcher.internal.channel.HttpDispatcherLink.ready(HttpDispatcherLink.java:317)
at com.ibm.ws.http.channel.internal.inbound.HttpInboundLink.handleDiscrimination(HttpInboundLink.java:471)
at com.ibm.ws.http.channel.internal.inbound.HttpInboundLink.handleNewRequest(HttpInboundLink.java:405)
at com.ibm.ws.http.channel.internal.inbound.HttpInboundLink.processRequest(HttpInboundLink.java:285)
at com.ibm.ws.http.channel.internal.inbound.HttpInboundLink.ready(HttpInboundLink.java:256)
at com.ibm.ws.tcpchannel.internal.NewConnectionInitialReadCallback.sendToDiscriminators(NewConnectionInitialReadCallback.java:174)
at com.ibm.ws.tcpchannel.internal.NewConnectionInitialReadCallback.complete(NewConnectionInitialReadCallback.java:83)
at com.ibm.ws.tcpchannel.internal.WorkQueueManager.requestComplete(WorkQueueManager.java:504)
at com.ibm.ws.tcpchannel.internal.WorkQueueManager.attemptIO(WorkQueueManager.java:574)
at com.ibm.ws.tcpchannel.internal.WorkQueueManager.workerRun(WorkQueueManager.java:929)
at com.ibm.ws.tcpchannel.internal.WorkQueueManager$Worker.run(WorkQueueManager.java:1018)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1153)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
at java.lang.Thread.run(Thread.java:785)
Caused by: es.aeat.adws.jdit.api.xml.XmlExcepcion: No se permite contenido en el prólogo. (1,1)
at es.aeat.adws.jdit.imp.xml.DomUtilsImpl.isToDoc(DomUtilsImpl.java:85)
at es.aeat.adws.jdit.imp.xml.DomUtilsImpl.isToDoc(DomUtilsImpl.java:51)
at es.aeat.adws.jdit.imp.ws.WSFilterSrvImpl.verificarFirma(WSFilterSrvImpl.java:781)
... 31 more
Caused by: org.xml.sax.SAXParseException: No se permite contenido en el prólogo.
at org.apache.xerces.util.ErrorHandlerWrapper.createSAXParseException(Unknown Source)
at org.apache.xerces.util.ErrorHandlerWrapper.fatalError(Unknown Source)
at org.apache.xerces.impl.XMLErrorReporter.reportError(Unknown Source)
at org.apache.xerces.impl.XMLErrorReporter.reportError(Unknown Source)
at org.apache.xerces.impl.XMLScanner.reportFatalError(Unknown Source)
at org.apache.xerces.impl.XMLDocumentScannerImpl$PrologDispatcher.dispatch(Unknown Source)
at org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanDocument(Unknown Source)
at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
at org.apache.xerces.parsers.XMLParser.parse(Unknown Source)
at org.apache.xerces.parsers.DOMParser.parse(Unknown Source)
at org.apache.xerces.jaxp.DocumentBuilderImpl.parse(Unknown Source)
at javax.xml.parsers.DocumentBuilder.parse(Unknown Source)
at es.aeat.adws.jdit.imp.xml.DomUtilsImpl.isToDoc(DomUtilsImpl.java:81)
... 33 more

According to an error, it might seem that the error is in the XML file, but I assure you that it is not so. This file can be sent perfectly from the enabled environment of the tax agency without problems, and it can also be sent using an external application (SoapUI)

Last considerations

On some webpage I saw that they exported CA from the certificate and then used it in cURL (I added the instruction that would allow the CA to be extracted beforehand). However, most of the sites consulted do not use this CA.

At an informative level, using this CA generates the following warning:

curl.exe [...] --cacert C:\VariasSII\Certificados\Certificado-CA.pem

curl: (60) SSL certificate problem: self signed certificate in certificate chain

More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.

I am convinced that the problem is in the certificate. But taking into account that the certificate.pfx works well (I have tested it with SoapUI, and I have exported it to another computer, being able to use that certificate without any problems on that computer) ... would I have to think that something is wrong when converting that .pfx to .pem when using OpenSSL? The steps in OpenSSL and cURL I found on the network, and I have contrasted it with all possible sources. People work well. But I did not get out of here.

Hopefully someone can shed some light on this problem.

aeat-sii curl openssl certificado-ssl

asked by BeniGls 02.01.2018 в 14:51

source

1 answer

Convert file to XML and maintain attribute names How to get the name of an element [1], element [2] with jquery

score 2 · Accepted Answer

I modify the answer since apparently the problem in your case was not with the certificate but with the cURL parameters.

How to make the call from cURL

curl --cert ./ALEXANDRU_CATALIN_bundle.pem --header "Content-Type: text/xml;charset=UTF-8" --header "SOAPAction: SuministroLRFacturasEmitidas" --data @datos_xml.txt -v https://www7.aeat.es/wlpl/SSII-FACT/ws/fe/SiiFactFEV1SOAP

By parts:

--cert ./ALEXANDRU_CATALIN_bundle.pem sets the certificate
--header "Content-Type: text/xml;charset=UTF-8" indicates type of content sent
--header "SOAPAction: SuministroLRFacturasEmitidas" indicates the command of the webservice we want to call
--data @datos_xml.txt specifies the file with the data, IMPORTANT it seems that the @ in front of the path of the file is a very important detail since it is what tells cURL to read from a file

Content datos_xml.txt :

<?xml version="1.0" encoding="UTF-8"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns1="https://www2.agenciatributaria.gob.es/static_files/common/internet/dep/aplicaciones/es/aeat/ssii/fact/ws/SuministroInformacion.xsd" xmlns:ns2="https://www2.agenciatributaria.gob.es/static_files/common/internet/dep/aplicaciones/es/aeat/ssii/fact/ws/SuministroLR.xsd">
  <SOAP-ENV:Body>
    <ns2:SuministroLRFacturasEmitidas>
      <ns1:Cabecera>
        <ns1:IDVersionSii>1.0</ns1:IDVersionSii>
        <ns1:Titular>
          <ns1:NombreRazon>ALEXANDRU CATALIN TRANDAFIR</ns1:NombreRazon>
          <ns1:NIF>X4378072E</ns1:NIF>
        </ns1:Titular>
        <ns1:TipoComunicacion>A0</ns1:TipoComunicacion>
      </ns1:Cabecera>
      <ns2:RegistroLRFacturasEmitidas>
        <ns1:PeriodoImpositivo>
          <ns1:Ejercicio>2017</ns1:Ejercicio>
          <ns1:Periodo>12</ns1:Periodo>
        </ns1:PeriodoImpositivo>
        <ns2:IDFactura>
          <ns1:IDEmisorFactura>
            <ns1:NIF>X4378072E</ns1:NIF>
          </ns1:IDEmisorFactura>
          <ns1:NumSerieFacturaEmisor>SIIDEMO/1</ns1:NumSerieFacturaEmisor>
          <ns1:FechaExpedicionFacturaEmisor>31-12-2017</ns1:FechaExpedicionFacturaEmisor>
        </ns2:IDFactura>
        <ns2:FacturaExpedida>
          <ns1:TipoFactura>F1</ns1:TipoFactura>
          <ns1:FechaOperacion>31-12-2017</ns1:FechaOperacion>
          <ns1:ClaveRegimenEspecialOTrascendencia>01</ns1:ClaveRegimenEspecialOTrascendencia>
          <ns1:ImporteTotal>1210</ns1:ImporteTotal>
          <ns1:DescripcionOperacion>Compra ordenador portátil</ns1:DescripcionOperacion>
          <ns1:Contraparte>
            <ns1:NombreRazon>HeavyDots SL</ns1:NombreRazon>
            <ns1:NIF>B66544586</ns1:NIF>
          </ns1:Contraparte>
          <ns1:TipoDesglose>
            <ns1:DesgloseFactura>
              <ns1:Sujeta>
                <ns1:NoExenta>
                  <ns1:TipoNoExenta>S1</ns1:TipoNoExenta>
                  <ns1:DesgloseIVA>
                    <ns1:DetalleIVA>
                      <ns1:TipoImpositivo>21</ns1:TipoImpositivo>
                      <ns1:BaseImponible>500</ns1:BaseImponible>
                      <ns1:CuotaRepercutida>105</ns1:CuotaRepercutida>
                    </ns1:DetalleIVA>
                    <ns1:DetalleIVA>
                      <ns1:TipoImpositivo>21</ns1:TipoImpositivo>
                      <ns1:BaseImponible>500</ns1:BaseImponible>
                      <ns1:CuotaRepercutida>105</ns1:CuotaRepercutida>
                    </ns1:DetalleIVA>
                  </ns1:DesgloseIVA>
                </ns1:NoExenta>
              </ns1:Sujeta>
            </ns1:DesgloseFactura>
          </ns1:TipoDesglose>
        </ns2:FacturaExpedida>
      </ns2:RegistroLRFacturasEmitidas>
      <ns2:RegistroLRFacturasEmitidas>
        <ns1:PeriodoImpositivo>
          <ns1:Ejercicio>2017</ns1:Ejercicio>
          <ns1:Periodo>12</ns1:Periodo>
        </ns1:PeriodoImpositivo>
        <ns2:IDFactura>
          <ns1:IDEmisorFactura>
            <ns1:NIF>X4378072E</ns1:NIF>
          </ns1:IDEmisorFactura>
          <ns1:NumSerieFacturaEmisor>SIIDEMO/2</ns1:NumSerieFacturaEmisor>
          <ns1:FechaExpedicionFacturaEmisor>31-12-2017</ns1:FechaExpedicionFacturaEmisor>
        </ns2:IDFactura>
        <ns2:FacturaExpedida>
          <ns1:TipoFactura>F1</ns1:TipoFactura>
          <ns1:FechaOperacion>31-12-2017</ns1:FechaOperacion>
          <ns1:ClaveRegimenEspecialOTrascendencia>01</ns1:ClaveRegimenEspecialOTrascendencia>
          <ns1:ImporteTotal>1210</ns1:ImporteTotal>
          <ns1:DescripcionOperacion>Compra ordenador portátil</ns1:DescripcionOperacion>
          <ns1:Contraparte>
            <ns1:NombreRazon>HeavyDots SL</ns1:NombreRazon>
            <ns1:NIF>B66544586</ns1:NIF>
          </ns1:Contraparte>
          <ns1:TipoDesglose>
            <ns1:DesgloseFactura>
              <ns1:Sujeta>
                <ns1:NoExenta>
                  <ns1:TipoNoExenta>S1</ns1:TipoNoExenta>
                  <ns1:DesgloseIVA>
                    <ns1:DetalleIVA>
                      <ns1:TipoImpositivo>21</ns1:TipoImpositivo>
                      <ns1:BaseImponible>500</ns1:BaseImponible>
                      <ns1:CuotaRepercutida>105</ns1:CuotaRepercutida>
                    </ns1:DetalleIVA>
                    <ns1:DetalleIVA>
                      <ns1:TipoImpositivo>21</ns1:TipoImpositivo>
                      <ns1:BaseImponible>500</ns1:BaseImponible>
                      <ns1:CuotaRepercutida>105</ns1:CuotaRepercutida>
                    </ns1:DetalleIVA>
                  </ns1:DesgloseIVA>
                </ns1:NoExenta>
              </ns1:Sujeta>
            </ns1:DesgloseFactura>
          </ns1:TipoDesglose>
        </ns2:FacturaExpedida>
      </ns2:RegistroLRFacturasEmitidas>
    </ns2:SuministroLRFacturasEmitidas>
  </SOAP-ENV:Body>
</SOAP-ENV:Envelope>

Answer:

*   Trying 195.76.38.173...
* Connected to www7.aeat.es (195.76.38.173) port 443 (#0)
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: C:\xampp\apache\bin\curl-ca-bundle.crt
  CApath: none
* TLSv1.2 (OUT), TLS Unknown, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Request CERT (13):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS handshake, CERT verify (15):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / AES256-SHA256
* Server certificate:
*        subject: description=CAM-SSL-SW; L=MADRID; ST=MADRID; serialNumber=Q2826000H; OU=INFORMATICA TRIBUTARIA; O=AGENCIA ESTATAL DE ADMINISTRACIÓN TRIBUTARIA; CN=*.aeat.es; C=ES
*        start date: Nov  5 07:12:54 2015 GMT
*        expire date: Nov  4 07:12:54 2018 GMT
*        subjectAltName: www7.aeat.es matched
*        issuer: C=ES; OU=AC CAMERFIRMA; O=AC Camerfirma S.A.; serialNumber=A82743287; L=Madrid (see current address at https://www.camerfirma.com/address); CN=Camerfirma Corporate Server II - 2015
*        SSL certificate verify ok.
> POST /wlpl/SSII-FACT/ws/fe/SiiFactFEV1SOAP HTTP/1.1
> Host: www7.aeat.es
> User-Agent: curl/7.47.1
> Accept: */*
> Content-Type: text/xml;charset=UTF-8
> SOAPAction: SuministroLRFacturasEmitidas
> Content-Length: 4824
> Expect: 100-continue
>
< HTTP/1.1 100 Continue
* We are completely uploaded and fine
< HTTP/1.1 200 OK
< Date: Thu, 18 Jan 2018 00:49:53 GMT
< X-Powered-By: Servlet/3.1
< DIT-Servidor: WLP00401
< X-UA-Compatible: IE=7
< DIT-Tarea: 17577
< DIT-Codigo-Respuesta: 0
< DIT-NIU: 8093634366
< Content-Length: 1838
< Set-Cookie: JSESSIONID=s1~0001dmDLVUkaddMP4RFOx4oMUB4:wlp004_wlp001; Path=/wlpl/; Secure; HttpOnly
< Set-Cookie: aeat_id_usr_sede=%7B%22tipoAcceso%22%3A%22C%22%2C%22fechaYHora%22%3A%2220180118004953432%22%2C%22nombre%22%3A%22TRANDAFIR%20ALEXANDRU%20CATALIN%22%7D; Path=/; Domain=.agenciatributaria.gob.aeat; Secure
< Expires: Thu, 01 Dec 1994 16:00:00 GMT
< Cache-Control: no-cache="set-cookie, set-cookie2"
< Content-Type: text/xml;charset=UTF-8
<
<?xml version="1.0" encoding="UTF-8"?><env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/">
<env:Header/>
<env:Body Id="Body"><siiR:RespuestaLRFacturasEmitidas xmlns:siiR="https://www2.agenciatributaria.gob.es/static_files/common/internet/dep/aplicaciones/es/aeat/ssii/fact/ws/RespuestaSuministro.xsd" xmlns:sii="https://www2.agenciatributaria.gob.es/static_files/common/internet/dep/aplicaciones/es/aeat/ssii/fact/ws/SuministroInformacion.xsd"><siiR:Cabecera><sii:IDVersionSii>1.0</sii:IDVersionSii><sii:Titular><sii:NombreRazon>ALEXANDRU CATALIN TRANDAFIR</sii:NombreRazon><sii:NIF>X4378072E</sii:NIF></sii:Titular><sii:TipoComunicacion>A0</sii:TipoComunicacion></siiR:Cabecera><siiR:EstadoEnvio>Incorrecto</siiR:EstadoEnvio><siiR:RespuestaLinea><siiR:IDFactura><sii:IDEmisorFactura><sii:NIF>X4378072E</sii:NIF></sii:IDEmisorFactura><sii:NumSerieFacturaEmisor>SIIDEMO/1</sii:NumSerieFacturaEmisor><sii:FechaExpedicionFacturaEmisor>31-12-2017</sii:FechaExpedicionFacturaEmisor></siiR:IDFactura><siiR:EstadoRegistro>Incorrecto</siiR:EstadoRegistro><siiR:CodigoErrorRegistro>3000</siiR:CodigoErrorRegistro><siiR:DescripcionErrorRegistro>Factura duplicada</siiR:DescripcionErrorRegistro><siiR:CSV>QSAYUMZV8NM3REGD</siiR:CSV></siiR:RespuestaLinea><siiR:RespuestaLinea><siiR:IDFactura><sii:IDEmisorFactura><sii:NIF>X4378072E</sii:NIF></sii:IDEmisorFactura><sii:NumSerieFacturaEmisor>SIIDEMO/2</sii:NumSerieFacturaEmisor><sii:FechaExpedicionFacturaEmisor>31-12-2017</sii:FechaExpedicionFacturaEmisor></siiR:IDFactura><siiR:EstadoRegistro>Incorrecto</siiR:EstadoRegistro><siiR:CodigoErrorRegistro>3000</siiR:CodigoErrorRegistro><siiR:DescripcionErrorRegistro>Factura duplicada</siiR:DescripcionErrorRegistro><siiR:CSV>QSAYUMZV8NM3REGD</siiR:CSV></siiR:RespuestaLinea></siiR:RespuestaLRFacturasEmitidas>
</env:Body></env:Envelope>* Connection #0 to host www7.aeat.es left intact

How to obtain valid PEM bundle certificate

I'll tell you the steps to obtain a valid certificate, but first two notes:

In my case I am preparing it for use with the PHP SoapClient that also needs the PEM format

In my case, I use the original .PFX file that my manager sent me, that is, it was not imported / exported to / from the browser, although I understand that with your exported file it should work as long as it is a valid PFX / P12

Here we go ..

These are the commands to execute with openssl :

openssl pkcs12 -in archivo.pfx -clcerts -nokeys -out archivo_mycert.pem -password pass:"contraseña"
openssl pkcs12 -in archivo.pfx -nocerts -nodes -out archivo_mykey.pem -password pass:"contraseña"

With these commands you extract the certificate on the one hand and on the other, the private key, examples:

Content archivo_mycert.pem :

Bag Attributes
    localKeyID: 01 00 00 00 
    1.3.6.1.4.1.311.17.3.92: 00 08 00 00 
    1.3.6.1.4.1.311.17.3.20: 2A 87 AA 0D B3 2B B8 0B 9F 63 51 6D 29 18 27 68 67 9C 50 F2 
    1.3.6.1.4.1.311.17.3.71: 47 00 45 00 53 00 54 00 49 00 4F 00 2D 00 50 00 43 00 00 00 
    1.3.6.1.4.1.311.17.3.75: 34 00 46 00 46 00 33 00 32 00 31 00 42 00 35 00 42 00 46 00 31 00 39 00 39 00 37 00 38 00 46 00 43 00 46 00 31 00 31 00 33 00 37 00 44 00 41 00 35 00 45 00 39 00 32 00 42 00 34 00 46 00 39 00 5F 00 00 00 
...
-----BEGIN CERTIFICATE-----
MIIGmjCCBYKgAwIBAgIQFciYgGKGJNVYbjZryy+gCDANBgkqhkiG9w0BAQsFADBL
...
xdl/6mx4Kb3K/7JElDg=
-----END CERTIFICATE-----

Content archivo_mykey.pem :

Bag Attributes
    localKeyID: 01 00 00 00 
    friendlyName: le-d65c3786-5ca1-4b92-a149-82acdd8fd1f3
    Microsoft CSP Name: Microsoft Strong Cryptographic Provider
Key Attributes
    X509v3 Key Usage: 80 
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCZBqn8nYbmOLjR
...
Z2orfXHJGDmzf7eGfC4r0g4=
-----END PRIVATE KEY-----

Next, what you must do is create a third file that we will call archivo_bundle.pem and where within this file we paste the contents of the certificate and the key, leaving something like this:

-----BEGIN CERTIFICATE-----
MIIGmjCCBYKgAwIBAgIQFciYgGKGJNVYbjZryy+gCDANBgkqhkiG9w0BAQsFADBL
...
xdl/6mx4Kb3K/7JElDg=
-----END CERTIFICATE-----
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCZBqn8nYbmOLjR
...
Z2orfXHJGDmzf7eGfC4r0g4=
-----END PRIVATE KEY-----

Done, now you will use the archivo_bundle.pem file as a parameter in your cURL or SoapClient call.

Finally, I told you that in link I have written a technical ebook for the implementation of the SII. It contains code examples in PHP and a mini application that has the entire circuit of communication with the SII, which only needs to hang it on a server and leave a certificate in PFX format and it is already operative. Maybe you're interested to have a look! Luck! : -)