> ## Documentation Index
> Fetch the complete documentation index at: https://docs.lerian.studio/llms.txt
> Use this file to discover all available pages before exploring further.

# Activate ICP-Brasil certificate on the RSFN (GEN0006)

> Prerequisite: the certificate must have been rotated first (see rotateCertificate) — its persisted state must be VALID or EXPIRING and carry the recorded serial. Submits a GEN0006 certificate-activation announcement to BACEN for the current OUTBOUND_SIGNING certificate. The submission is persisted with status SUBMITTED before dispatch; BACEN's GEN0006R1 acknowledgment confirms it via NUOp correlation. Idempotent — replaying the same X-Idempotency key with the same body returns the cached response.



## OpenAPI

````yaml en/openapi/v3-current/spb.yaml post /v1/str/certificates/activate
openapi: 3.1.0
info:
  contact:
    email: contact@lerian.studio
    name: Lerian Studio
    url: https://lerian.studio
  description: >-
    OpenAPI 3.1 surface for Lerian SPB, the direct integration between the
    institution and the Brazilian Payment System (SPB) over the National
    Financial System Network (RSFN). It covers the Reserve Transfer System
    (STR): message registry and capability catalog, operation lifecycle (bank
    transfers, IBS repasses, liquidity transfers, returns and cancellations),
    reserve-account and schedule queries, alçada governance, reconciliation, and
    event delivery.
  license:
    name: Lerian Studio General License
  title: Lerian SPB API
  version: 1.0.0
servers:
  - url: https://spb.sandbox.lerian.net
security: []
tags:
  - description: Immutable audit-record trails for STR operations and lifecycle events.
    name: Audit
  - description: >-
      STR capability catalog describing supported message types and their
      constraints.
    name: Capabilities
  - description: >-
      ICP-Brasil certificate inventory with hot-reloadable rotation and
      activation.
    name: Certificates
  - description: >-
      Maker-checker approval queue for emissions parked above their alçada band:
      list pending, sign (approve), and deny.
    name: EmissionApprovals
  - description: Webhook event-delivery records with retry control for failed dispatches.
    name: EventDeliveries
  - description: Operation event catalog enumerating the emitted domain event types.
    name: Events
  - description: >-
      Inbound GEN-family notice log (GEN0001 connectivity echo, GEN0004
      transmission error, GEN0005 administrative notice).
    name: GenNotices
  - description: >-
      SPB alçada governance: the value-band table and per-message-type signature
      requirements, hot-reloaded at runtime.
    name: Governance
  - description: >-
      Read raw STR message status: list messages and read a single message by
      NUOp.
    name: Messages
  - description: Aggregated operational summaries and metrics across STR operations.
    name: OperationalIntelligence
  - description: >-
      STR operation lifecycle for bank transfers and IBS repasses, including
      returns and cancellations.
    name: Operations
  - description: >-
      Service readiness state covering startup self-probes and dependency
      health.
    name: Readiness
  - description: Reconciliation cases and the actions that resolve operation discrepancies.
    name: Reconciliation
  - description: >-
      STR reports suite: synchronous, date-ranged aggregate reports (financial
      movement, rejected transactions, volumetria) over Lerian SPB's own
      transmission record.
    name: Reports
  - description: >-
      STR0013 reserve-account balance and STR0014 statement (extrato,
      message-mode) queries and their async results.
    name: ReserveQueries
  - description: >-
      GEN0019 participant responsável roster: full-replacement updates announced
      to BACEN.
    name: Responsibles
  - description: STR operating-window schedule governing when operations may be sent.
    name: Schedule
  - description: >-
      STR0001 single-party schedule queries (consulta de horários do STR) and
      their async STR0001R1 grid results.
    name: ScheduleQueries
  - description: Runtime SPB configuration settings for the STR integration.
    name: Settings
  - description: Webhook endpoint registration and management for event delivery.
    name: Webhooks
  - description: >-
      Flow (mandatory order): certificate → readiness → connectivity-test →
      submit. Activate a certificate, confirm the rail reports ready, pass a
      connectivity test, then submit an operation. Each step is its own
      resource; a submit must not be attempted before readiness passes.
    name: onboarding
  - description: >-
      Flow (mandatory order): parent operation SETTLED → return/cancel. A return
      or cancellation is a sub-resource of a settled parent operation; the
      {operationId}/{endToEndID} path segment enforces the parent structurally.
    name: lifecycle
paths:
  /v1/str/certificates/activate:
    post:
      tags:
        - Certificates
        - onboarding
      summary: Activate ICP-Brasil certificate on the RSFN (GEN0006)
      description: >-
        Prerequisite: the certificate must have been rotated first (see
        rotateCertificate) — its persisted state must be VALID or EXPIRING and
        carry the recorded serial. Submits a GEN0006 certificate-activation
        announcement to BACEN for the current OUTBOUND_SIGNING certificate. The
        submission is persisted with status SUBMITTED before dispatch; BACEN's
        GEN0006R1 acknowledgment confirms it via NUOp correlation. Idempotent —
        replaying the same X-Idempotency key with the same body returns the
        cached response.
      operationId: activateCertificate
      parameters:
        - description: Idempotency key (primary).
          in: header
          name: X-Idempotency
          schema:
            description: Idempotency key (primary).
            type: string
        - description: Idempotency key (legacy alias for X-Idempotency).
          in: header
          name: X-Idempotency-Key
          schema:
            description: Idempotency key (legacy alias for X-Idempotency).
            type: string
        - description: Idempotency key TTL in seconds (overrides the configured default).
          in: header
          name: X-TTL
          schema:
            description: Idempotency key TTL in seconds (overrides the configured default).
            type: string
      requestBody:
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/ActivateCertificateRequest'
        required: true
      responses:
        '200':
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ActivateCertificateResponseWire'
          description: OK
          links:
            prerequisite:
              description: >-
                Onboarding prerequisite: the certificate must have been rotated
                by rotateCertificate before activation.
              operationId: rotateCertificate
        default:
          content:
            application/problem+json:
              schema:
                $ref: '#/components/schemas/Detail'
          description: Error
      security:
        - BearerAuth: []
components:
  schemas:
    ActivateCertificateRequest:
      additionalProperties: false
      properties:
        certifierCode:
          description: >-
            BACEN-assigned SPB certificate-authority code (CodCertifrAtv,
            official type CodCertifr; 1-2 digits). Operator-supplied because the
            certificate does not carry it.
          examples:
            - '1'
          maxLength: 2
          minLength: 1
          type: string
        reason:
          description: >-
            Optional operator rationale recorded with the activation submission
            (max 200 chars).
          examples:
            - Activating Q2 ICP-Brasil certificate
          maxLength: 200
          type: string
      required:
        - certifierCode
      type: object
    ActivateCertificateResponseWire:
      additionalProperties: false
      properties:
        certificateId:
          description: UUID of the activated OUTBOUND_SIGNING certificate-state row.
          examples:
            - 550e8400-e29b-41d4-a716-446655440000
          format: uuid
          type: string
        certificateSerial:
          description: >-
            Hex serial number of the activated certificate, read from the
            persisted certificate-state evidence.
          examples:
            - 00A1B2C3D4E5F60718293A4B5C5D6E7F
          type: string
        controlNumber:
          description: IF control number assigned to the GEN0006 submission.
          examples:
            - '20260610000001'
          type: string
        correlationId:
          description: >-
            Request-scoped correlation identifier echoing X-Request-ID, for
            pivoting from response to trace.
          examples:
            - req-7a3f9c2e
          type: string
        messageType:
          description: STR message code of the submission (always GEN0006 for activation).
          examples:
            - GEN0006
          type: string
        nuOp:
          description: >-
            BACEN protocol identifier (NUOp) assigned to the GEN0006 activation
            submission.
          examples:
            - '12345678202606100000001'
          type: string
        status:
          description: >-
            Submission status; always SUBMITTED until BACEN's GEN0006R1
            acknowledgment flips it to CONFIRMED.
          examples:
            - SUBMITTED
          type: string
        submittedAt:
          description: >-
            RFC3339 UTC timestamp when the activation was persisted before
            dispatch.
          examples:
            - '2026-06-10T18:30:00Z'
          format: date-time
          type: string
      required:
        - certificateId
        - certificateSerial
        - nuOp
        - controlNumber
        - messageType
        - status
        - submittedAt
        - correlationId
      type: object
    Detail:
      additionalProperties: false
      properties:
        code:
          description: >-
            Stable, machine-readable domain error code scoped to the emitting
            service (format: <SERVICE>-NNNN).
          examples:
            - ERR-0001
          type: string
        detail:
          description: >-
            A human-readable explanation specific to this occurrence of the
            problem.
          examples:
            - Property foo is required but is missing.
          type: string
        errors:
          description: Optional list of individual error details
          items:
            $ref: '#/components/schemas/ErrorDetail'
          type:
            - array
            - 'null'
        instance:
          description: >-
            A URI reference that identifies the specific occurrence of the
            problem.
          examples:
            - https://example.com/error-log/abc123
          format: uri
          type: string
        status:
          description: HTTP status code
          examples:
            - 400
          format: int64
          type: integer
        title:
          description: >-
            A short, human-readable summary of the problem type. This value
            should not change between occurrences of the error.
          examples:
            - Bad Request
          type: string
        type:
          default: about:blank
          description: A URI reference to human-readable documentation for the error.
          examples:
            - https://example.com/errors/example
          format: uri
          type: string
      type: object
    ErrorDetail:
      additionalProperties: false
      properties:
        location:
          description: >-
            Where the error occurred, e.g. 'body.items[3].tags' or
            'path.thing-id'
          type: string
        message:
          description: Error message text
          type: string
        value:
          description: The value at the given location
      type: object
  securitySchemes:
    BearerAuth:
      bearerFormat: JWT
      description: JWT bearer token issued by the identity provider.
      scheme: bearer
      type: http

````