Good morning,
We are in final stage of deployment of our zatca integrated solution.
We successfully onboarded with our company’s fatoora account and tested clearance API after receiving Prod CSID in simulation env
We are “Inventory/billing” solution provider. As a solution provider, below is our understanding
our software needs to facilitate the generation of separate Production CSID for each client based on the CSR generated with the taxpayer’s details.
For each new Client who uses our software for trading business, We have to make sure that whole workflow of Compliance CSID generation, compliance submissions, till Prod CSID generation should be done via our solution interface and the client just needs to enter OTP during this onboarding process (which they generate via their own fatoora login)
We have to keep the csrcertificate and private key for each client to later do invoice signing of their respective invoices
we have to keep each clients binarySecurityToken & secret so as to do the clearance of their respective invoices
Below is a confirmation and clarification based on your outlined points:
1. Production CSID Generation for Each Client:
Yes, your software must facilitate the generation of a separate Production CSID for each client. This involves generating a CSR using the taxpayer’s details and ensuring it aligns with ZATCA’s requirements. The client will use their OTP (generated via their own Fatoora login) to complete the onboarding process. 2. End-to-End Workflow for Compliance and Production CSID:
Your understanding is correct. Your solution should handle the full workflow of Compliance CSID generation, compliance submissions, till Prod CSID generation.
The client should only need to provide the OTP during onboarding. This simplifies the process for the client while ensuring compliance with ZATCA’s guidelines. 3. Storing Client’s CSR Certificate and Private Key:
Yes, you need to securely store the CSR certificate and private key for each client to enable the signing of their invoices. Ensure that your storage mechanism follows best practices for security, such as encryption and access control, to protect sensitive data. 4. Storing BinarySecurityToken and Secret:
Correct. You will need to securely store each client’s BinarySecurityToken and Secret to facilitate the clearance process for their invoices. These credentials are essential for submitting invoices through ZATCA’s APIs.
Additional Notes:
• Ensure that your solution complies with data security standards to protect client credentials, certificates, and private keys.
• Clients must use their own Fatoora accounts to generate OTPs and maintain access to their onboarding details. Your solution must guide them through this process seamlessly.
• It is recommended that all workflows (Compliance CSID, Production CSID, invoice signing, and clearance) are tested thoroughly in the simulation environment before moving to production.
If you have any additional questions or require further clarification, please feel free to reach out.
Hi,
Please suggest the tool to generate the Organization CSID Certificate to proceed with the zatca integration.
as mentioned in your response cert4sign.com is not supported by the zatca.