{"errorCategory":"Invalid-CSR","errorMessage":"The provided Certificate Signing Request (CSR) is invalid."}

mostafa2001el3ref · November 3, 2025, 8:03am

We are developing an integration for e-invoicing on a WordPress plugin that generates the CSR and connects to the onboarding APIs.

When we try to activate the device in the simulation environment, the API returns the following error:

{
  "errorCode": "400",
  "errorCategory": "Invalid-CSR",
  "errorMessage": "The provided Certificate Signing Request (CSR) is invalid."
}

The CSR is generated using OpenSSL (RSA 3072-bit, SHA256, CodeSigning) with the following distinguished name fields:

C = SA
O = Company Name (ASCII)
CN = VAT Number or UUID (depending on environment)
serialNumber = VAT Number

Could you please clarify which exact DN attributes and CN value are required for the CSR to be accepted during the simulation CCSID request?

Thank you for your assistance.

SP_VoM · November 18, 2025, 10:22am

It looks like the error is coming from the CSR itself rather than your API call. ZATCA’s simulation environment is quite strict about the CSR format, and there are a few common pitfalls:

Distinguished Name (DN) attributes
For CCSID requests, ZATCA expects the following DN fields in the CSR:
- C → SA (Saudi Arabia)
- O → Exact legal company name (ASCII)
- CN → VAT number (for production use) or UUID (for sandbox/simulation).
  Important: Make sure there are no extra spaces or special characters.
- serialNumber → VAT number (without any prefixes like VAT:)
Optional fields like ST (state) and L (city) can usually be omitted in simulation, but it’s safer to include them if you have them.
CSR specifications
- Key size: RSA 3072-bit (correct)
- Hash: SHA256 (correct)
- Key usage / Extended Key Usage: Make sure CodeSigning is actually included if you’re signing a code certificate. Sometimes using digitalSignature + keyEncipherment works better for ZATCA simulation.
Common issues
- CN mismatch: If the CN does not exactly match the VAT or UUID format expected in the simulation, the CSR is rejected.
- SerialNumber format: It must be exactly the VAT number digits, no letters, spaces, or dashes.
- OpenSSL encoding: Ensure the CSR is PEM encoded and contains the standard -----BEGIN CERTIFICATE REQUEST----- headers.

Recommendation:

Try generating the CSR with the following OpenSSL command as a test (adjust CN and serialNumber as per your environment):

openssl req -new -newkey rsa:3072 -nodes -sha256 -keyout private.key -out request.csr \
  -subj "/C=SA/O=Company Name/CN=123456789012345/serialNumber=123456789012345"

Then double-check that:

CN = UUID (sandbox) or VAT (production)
serialNumber = VAT only
No extra spaces or special characters in any DN fields

This usually resolves the Invalid-CSR errors in ZATCA’s sandbox.

Topic		Replies	Views
Invalid-CSR when generating Simulation Compliance CSID General	1	67	November 2, 2025
Simulation Environment: Handling CSR and Compliance API with ZATCA General	5	504	November 18, 2024
Invalid-CSR issue when generating CSID in Simulation FATOORA portal and Simulation portal	10	131	September 23, 2025
The provided Certificate Signing Request (CSR) is invalid Onboarding, renewal and revocation	8	1633	September 27, 2024
The provided CSR is invalid Onboarding, renewal and revocation	5	188	March 13, 2025

{"errorCategory":"Invalid-CSR","errorMessage":"The provided Certificate Signing Request (CSR) is invalid."}

Related topics