ROS Digital Certificates
ROS Digital Certificates are effectively an employer’s tax certificate. This article explains how to establish a Direct Method connection between ROS and Parolla using your ROS Sub-user Digital Certificate.
In 2019 Revenue moved to real-time PAYE reporting. Every payslip must be reported to Revenue on or before the day that the monies are available in the employee’s account.
To enable this new reporting they created a system where payroll software can connect to Revenue ROS servers and exchange information directly.
Of course, this needs to be secured to make sure that only approved software can access your ROS information. This is where the ROS Digital Certificate comes in.
Think of the ROS Digital Certificate as a master key that you have that allows access to your Revenue information. The key is contained in an encrypted file with the extension of .p12.bac. It is this key that you use when you log into your ROS account.
You can actually copy this key for backup and also to upload it to other software such as Parolla.
However, the ROS Digital Certificate is often a master key. It allows access to all features of the admin account. In the interests of data minimisation and security, we do not want your master key!
This is why we ask for a Sub-User Certificate.
A sub-user certificate is a copy of your ROS Digital Certificate that you can issue to others. However, you can limit and restrict access to certain parts of the ROS system. You can also cancel a sub-user certificate at any time, thereby revoking access for anyone using that certificate.
Creating a ROS Digital Sub-User Certificate
This is a reasonably complicated multi-step process. We have created a video showing you how to create a sub-user certificate on our Video Tutorials page.
Revenue guidance on creating sub-user certificates can be found here.
Uploading a Digital Certificate to Parolla
You will be prompted to upload a digital certificate in the Organisation Setup Wizard.
Clicking on Upload digital certificate will open a dialog box:
The fields you need to enter are the PAYE Registration Number or the Employers Registration Number. This is a 7-digit number followed by 1-2 capital letters, such as 1234567TH.
The employer’s registration number is often the same as the company’s VAT number.
Choose the digital certificate file from your local computer. This will be a file that ends in ‘.p12’ or ‘.p12.bac’.
Enter the password that you use when logging into ROS with this certificate. It is not your Parolla password.
If your digital certificate is an Agent certificate, then you will also need to provide your agent TAIN. This will be a number like 123456Q.
Once you submit the certificate to Parolla we will:
- Unlock the certificate using the password you entered.
- Extract the digital key, encrypt it, and store it in our database for your company.
- Destroy the certificate that you uploaded to us.
- Contact Revenue and attempt to download all the current RPNs for your company.
If we have any issues, these will be related back to you via the message popups. Some common problems are below.
From now on, every time you open a pay run we will automatically download the latest RPNs. All submissions and report requests will be made using this certificate.
Uploading a New Certificate
Digital certificates expire every two years. A sub-user certificate expires whenever the original certificate expires, or if it is revoked.
To upload a new certificate, go to the left-hand side menu and select Settings > Revenue.
You can view the current certificate name and upload date. You can also choose to upload a new certificate or change your employer registration number.
I don’t have a ROS Digital Certificate
You cannot retrieve or send any information to Revenue without a ROS Digital Certificate.
It is possible to set up some parts of your Parolla account, but without a ROS Digital Certificate, we cannot get your employee tax details from Revenue. Without their tax details, you cannot calculate a payslip.
How do I get a ROS Digital Certificate?
Contact Revenue, or go to this site, and register for a certificate. It can take Revenue three to five days to issue a certificate.
Certificate is not Active
There are several reasons why a Revenue action may return the error “Cert is not active”.
The most common is that the certificate has expired after 2 years.
The second is where a new certificate has been issued. This automatically makes the old certificate inactive.
This also applies where a sub-user cert has been built from another certificate that has since expired or become inactive.
Finally, if the certificate has just been issued then it must first be activated by logging into ROS directly at https://www.ros.ie.
For more information go to ROS Digital Certificates at https://www.revenue.ie/en/online-services/support/ros-help/using-ros/renewing-your-ros-digital-certificate/index.aspx
The Certificate won’t open, the password is incorrect
The password for opening ROS digital certificates is the same one that you use when logging into the ROS portal.
If you are getting an error in Parolla, then we suggest trying to access ROS using the same certificate that you are uploading to Parolla. Take note of the successful password and use that.
The certificate doesn’t have the correct permissions
In order to file PAYE information the sub-user certificate must have ‘File‘ permissions for the PAYE-Emp information.
If the certificate does not have the above permissions then Revenue will send back an error message via Parolla.
The software cannot establish a link between the account and the certificate
Agent certificates are a special type of certificate where the agent has access to different companies. To make this link, revenue must know the Agent TAIN (Tax Agent Identification Number) and the Employer Registration number.
When you’re opening an Agent digital certificate make sure to enter the Agent TAIN in the appropriate box.
The Tax Agent Identification Number isn’t working
The Agent TAIN format will be 6 characters long. Normally 5 numbers followed by a letter. It is not a name or email address.