If you do not know the private key you will have to renew the certificate and make sure to save the private key when generating the csr file. You can refer to section 4. INITIAL REQUEST (MS SYSTEM OWNER) of this document: https://sfc.ec.europa.eu/en/2021/sfc2021-pm-330-procedure-request-client-certificate .

Please send the new csr file to the MS Liaison Officer in charge of the user accounts for your country and fund(s) and ask to renew the certificate. If you do not know who to contact you can send an email at EC-SFC2021-INFO@ec.europa.eu  ,

If you get an error 400 Bad request referring to "Invalid grant: Access Token was issued to another audience" it means that you're using a wrong FO_CLIENT_ID. Please correct the FO_CLIENT_ID you're using.

Refer to this FAQ: https://sfc.ec.europa.eu/en/where-can-i-find-fo-client-id .

If the error persists you can send it for further investigation to EC-SFC2021-INFO@ec.europa.eu  with EC-SFC2021-WEBSERVICES@ec.europa.eu  in copy . Please include the error message, your clientID, the FO_CLIENT_ID you're using and the SFC environment concerned in your email.

If you receive a Token endpoint error {"error_description":"Unauthorized client: The requested grant type 'client_credentials' is not registered for this application","error":"unauthorized_client"} you can send it for further investigation to EC-SFC2021-INFO@ec.europa.eu with EC-SFC2021-WEBSERVICES@ec.europa.eu in copy .

Please include the error message, your clientID and the SFC environment concerned in your email.

Yes! You can use the webservices to populate one specific part of the object (for example 1 table) and continue editing the object in the SFC web application.

The FO_CLIENT_ID for Training (test) and Production environment is listed in section 1.1 of the WS guide: https://sfc.ec.europa.eu/en/2021/sfc2021-webservice-guide . 

Yes, a timeout is set on 29 minutes when using the webservices.

The personal data (First name, Last name and Email) of the user associated to a certificate account in our database is considered as the official signer of data and documents sent to the Commission via webservices, and whose name will appear on screen and in the (Snapshot) documents after sending.

This means that it will also be the name of the person that is displayed in the Declaration section of a Payment Application as the signer. If this is not correct you can opt to:

• change the person linked to the certificate account in SFC. For this, please contact the MS Liaison Officer in charge of the user accounts for your country and fund(s) who can send a request to update the certificate (when the name is also included in the CN name of the certificate, the certificate will have to be renewed instead ). If you do not know who to contact you can send an email at EC-SFC2021-INFO@ec.europa.eu ,

  or

• manually update the name of the authority representing the accounting function in every Payment Application before validating/sending the Payment Application. For this you will need a web user account with the appropriate update permission and log in to the SFC2021 web application. For an example of how to change the name of the Authority representing the accounting function, you can refer to the Payment Application for IJG here: https://sfc.ec.europa.eu/en/2021/quickguides/paymentapplication-ijg#declaration--payment-application-14 .

   

For any question please contact EC-SFC2021-INFO@ec.europa.eu and provide us the SFC environment, your clientID and the CCI number concerned .

If you encounter a problem to establish a connection with SFC using the webservices and you see a 'handshake failure' error please verify the certificate you're using is still valid.

When the validity of the certificate is OK, the failure might be caused by the SSL protocol you're using. Please refer to this FAQ: https://sfc.ec.europa.eu/en/which-ssl-protocol-should-be-used-connect-sfc .

If the error persists, you can send it for further investigation to EC-SFC2021-INFO@ec.europa.eu  with EC-SFC2021-WEBSERVICES@ec.europa.eu  in copy . Please include the error message, your clientID and the SFC environment concerned in your email.
 

The minimum allowed SSL protocol is TLS v.1.2 . 

Note:
The minimum java version required to have the TLS v1.2 enabled by default is Java™ SE Development Kit 7, Update 131 Release Notes (oracle.com) . When using a lower version it may cause a handshake failure error.

Given the impossibility to implement the "4-eyes" principle in a machine to machine interface, when accessing SFC via webservices, the 4-eyes principle is not enforced!

The responsibility is on the MS side. Each MS should take care of the implementation of the "4-eyes" principle internally in its own information system!

This also means that the same certificate can be used to validate and send the same object.