How can I secure my invoice account from the introduction of fake electronic invoices after the recent hacker attack that stole passwords?
I’m trying to create a new account with the same data entered previously, but it’s being rejected. The old account is still active, but I want to secure the invoice. Will stealing the certificate information not have a negative impact if it’s used from a different domain than the one it was activated for?
Please help.
Thank you for your cooperation.
Dear @Eman,
Would you please clarify what do you mean by the “invoice account”? is this an account specefic to your system? or do you mean the PCSID which is the certificate that has been provided by ZATCA’s APIs?
you are responsible to store the CSID in a secured encypted place, if an unaothorized persona has acceed the CSID, then you MUST revoke this specefic CSID from fatoora portal, and onboard again after fixing the security issue.
Please refer to the security standards for more information, if you have any questions please don’t hesitate to reach out.
Regards,
20230519_ZATCA_Electronic_Invoice_Security_Features_Implementation_Standards_vF.pdf (720.4 KB)
Yes, I mean PCSID.
I’m trying to create another certificate, but it’s not accepted, even though I followed the same instructions for:
csr.common.name=‘same domain in the old csid’
csr.serial.number=1-‘same in old’|2-‘same in old’|3-‘same in old’-0002
csr.organization.identifier=‘same in old’
csr.organization.unit.name=‘same in old’
csr.organization.name=‘same in old’
csr.country.name=SA
csr.invoice.type=1100
csr.location.address=RRRD2929
csr.industry.business.category=‘same in old’
- Note: I’m using quotation marks for clarity.
I followed all the activation steps, but when creating the PCSID, it gives me this Reply
{“requestID”:-2,“tokenType”:null,“dispositionMessage”:“NOT_COMPLIANT”,“binarySecurityToken”:null,“errors”:[“unable to submit and sign the CSR in the zatca side, caused by: Denied by Policy Module 0x80094800. The request was for a certificate template that is not supported by the Active Directory Certificate Services policy: PREZATCA-Code-Signing.\r\n”]}
*Note: I did not delete the PCSID. I am trying to create a new one, then I will deactivate the old one.
is there any help for this ?
Hello Zacta Team,
Is there no solution to my problem?
Dear @Eman,
Please re-generate the CSR with at least one character change, you can change the EGS serial number with taking the steps below in mind:
is this for simulation or production? which is your method for genreating the CSR?
SDK:If you are using ZATCA’s SDK CLI then please include the -sim flag to generate the CSR if you are in simulation, exlcude if you are in production environment.
OpenSSL: If you are using OpenSSL, then please you need to modify the template name attribute based on the needed environment as below:
Production: ZATCA-Code-Signing
Simulation:PREZATCA-Code-Signing
If you are using the ZATCA’s SDK to submit the CSR, then no need to encode it, but with openSSL you need to encode the output using base64 before sending.
Kindly confirm if the issue is resolved.
Regards,
i use zacta sdk ,but when i request production csid , with letter change ,this will be the response: {
"requestID": -2,
"tokenType": null,
"dispositionMessage": "NOT_COMPLIANT",
"binarySecurityToken": null,
"errors": \[
"unable to submit and sign the csr in zatca side, caused : Denied by Policy Module 0x80094800, The request was for a certificate template that is not supported by the Active Directory Certificate Services policy: PREZATCA-Code-Signing.\\r\\n"
\]
}