Clarification Needed on Certificate Renewal Process

Onboarding, renewal and revocation
1

Hello everyone,

I’m currently working on the Certificate Renewal process and would appreciate some guidance.
I have read several references from threads in this forum. Here’s what I understand so far:

1. Send PATCH Request to Production CSID (Renewal) API

  • Authorization: Old PCSID binarySecurityToken and secret
  • Payload: Old CSR
    The server responds with a new binarySecurityToken and secret.

2. Compliance Invoice Check

  • Decode the Base64 binarySecurityToken to obtain the new X509Certificate.
  • Sign 6 sample documents with the new X509Certificate and send them to the Compliance Check API.
  • Authorization: New binarySecurityToken and secret from the Production CSID (Renewal) API response.

My questions are:

  1. Are there any additional steps required after the Compliance Invoice Check, or is this process complete?
  2. If the steps I mentioned above are correct, do I need to save the new binarySecurityToken and secret for signing actual invoices and obtaining approval from the Report and Clearance API?

Thank you for your assistance!

2

Dear @eCloud

Thanks for reaching out,

Please note that after generating PCSID successfully it will be available for 5 years from generated date, no need to renew it if you already generated it successfully.

However, for Renewal process what you mentioned is quiet right, please find the detailed explain for Renewal PCSID hope to answer all your concerns:

1. Send PATCH Request to Production CSID (Renewal) API:
Authorization: Same as you mentioned.
** Payload:** Same as you mentioned.
The response 428 with a new CSID.
2. Compliance Invoice Check:

  • Decode the Base64 binarySecurityToken to obtain the new X509Certificate replace it with the cert.pem file in the following path zatca-einvoicing-sdk-238-R3.3.4\Data\Certificates\cert.pem. and replace the private Key from the generated CSR in the same directory in the SDK the file name “ec-secp256k1-priv-key.pem”.
  • Based on your config file invoice type you will start sending the samples invoice to complete all the compliance checks,
    If the invoice type 1000, you need to send 3 slandered invoices,
    If the invoice type 0100, you need to send 3 simplified invoices,
    If the invoice type 1100, you need to send 6 invoices 3 simplified invoices and 3
    slandered,
    To the Compliance Check AP using the new binarySecurityToken and secret (CSID).

3. Generat New PCSID:
Complete the steps to generate the PCSID from the PCSID API.

For your second question, you need to save the new PCSID, to start using it to sending your actual invoices.

For any further support, do not hesitate to reach out with the SP support via mail: sp_support@zatca.gov.sa.

Thanks,
Ibrahem Daoud.

1 Like
3

Dear @idaoud,
The binarySecurityToken & Secret outed from Production CSID (Renewal) API will use as username&password when Compliance Invoice Check
Then after sending samples invoice (From SDK ?)then generate the PCSID from the PCSID API.

That’s I stand from your answer, It’s right or not?

4

Dear @Madleen

I hope this reply finds you well,

Do you still have any concerns related the Renewal process?

Thanks,
Ibrahem Daoud.

5

Dear @idaoud ,

    Follow-up question, after successful renewal of the PCSID, the ICV should be reset to 1 again, is this right?