> ## Documentation Index
> Fetch the complete documentation index at: https://docs.timbrix.mx/llms.txt
> Use this file to discover all available pages before exploring further.

# Upload Certificates

> Upload CSD certificate and private key for invoice signing

## Description

Uploads CSD (Certificado de Sello Digital) certificate and private key files for electronic invoice signing. Files are encrypted with AWS KMS and stored securely in S3. Only the organization owner can perform this action.

## Authorization

<ParamField header="Authorization" type="string" required>
  Bearer token for authentication
</ParamField>

## Path Parameters

<ParamField path="id" type="string" required>
  The unique ID of the organization
</ParamField>

## Body Parameters (multipart/form-data)

<ParamField body="certificate" type="file" required>
  CSD certificate file (.cer extension, max 10MB)
</ParamField>

<ParamField body="privateKey" type="file" required>
  Private key file (.key extension, max 10MB)
</ParamField>

<ParamField body="password" type="string" required>
  Password to decrypt the private key
</ParamField>

## Response

<ResponseField name="certificateSerialNumber" type="string">
  Serial number extracted from the certificate
</ResponseField>

<ResponseField name="certificateExpiresAt" type="string">
  Certificate expiration date (ISO 8601 format)
</ResponseField>

<ResponseField name="certificateUpdatedAt" type="string">
  Timestamp when the certificate was uploaded
</ResponseField>

<ResponseField name="rfc" type="string">
  RFC (tax ID) extracted from the certificate, if available
</ResponseField>

## Example Request

```bash theme={null}
curl -X PUT "https://api.timbrix.com/organizations/123e4567-e89b-12d3-a456-426614174000/certificates" \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -F "certificate=@/path/to/certificate.cer" \
  -F "privateKey=@/path/to/private.key" \
  -F "password=your_certificate_password"
```

## Example Response

```json theme={null}
{
  "certificateSerialNumber": "30001000000400002463",
  "certificateExpiresAt": "2028-05-15T00:00:00.000Z",
  "certificateUpdatedAt": "2024-01-15T10:30:00.000Z",
  "rfc": "XAXX010101000"
}
```

## Response Codes

<ResponseField name="200" type="OK">
  Certificate uploaded successfully
</ResponseField>

<ResponseField name="400" type="Bad Request">
  Invalid certificate files, wrong password, or expired certificate
</ResponseField>

<ResponseField name="401" type="Unauthorized">
  Authentication required
</ResponseField>

<ResponseField name="403" type="Forbidden">
  Access denied. Only organization owners can upload certificates
</ResponseField>

<ResponseField name="404" type="Not Found">
  Organization not found
</ResponseField>

## Security

⚠️ **OWNER ONLY**: Only the organization OWNER can upload CSD certificates. Admins and members cannot perform this action.

🔐 **Encryption**: All certificate files are encrypted with AWS KMS (Server-Side Encryption) before being stored in S3. The certificate password is also encrypted with KMS before being stored in the database.

## Notes

* Certificate file must have `.cer` extension
* Private key file must have `.key` extension
* Maximum file size is 10MB per file
* Expired certificates will be rejected
* Certificate metadata (serial number, expiration date, RFC) is automatically extracted
* Previous certificates are automatically replaced when uploading new ones
