Getting error for compliance check in Live but not for Simulation

shiyaf_texol · November 25, 2025, 11:49am

I am getting the below response during on-boarding compliance check for live APIs

{
“validationResults”: {
“infoMessages”: [
{
“type”: “INFO”,
“code”: “XSD_ZATCA_VALID”,
“category”: “XSD validation”,
“message”: “Complied with UBL 2.1 standards in line with ZATCA specifications”,
“status”: “PASS”
}
],
“warningMessages”: [
{
“type”: “WARNING”,
“code”: “invalid-signing-certificate”,
“category”: “CERTIFICATE_ERRORS”,
“message”: “X509Certificate (CCSID / PCSID) used for signing is not valid certificate (CCSID / PCSID) for this VAT Registration Number.”,
“status”: “WARNING”
}
],
“errorMessages”: [
{
“type”: “ERROR”,
“code”: “invalid-digital-signature”,
“category”: “SIGNATURE_ERRORS”,
“message”: “Invalid digital signature”,
“status”: “ERROR”
}
],
“status”: “ERROR”
},
“reportingStatus”: “NOT_REPORTED”,
“clearanceStatus”: null,
“qrSellertStatus”: null,
“qrBuyertStatus”: null
}

But the same is working perfectly in Simulation.

Why would this happen ? There is no difference in the request for both.

Ankit.K.Tiwari · November 25, 2025, 11:52am

@shiyaf_texo you may be using Simulation Certificate on Production. You need to make sure that invoice is signed using the Production CSID from Production Environment (not PCSID generated on Simulation Environment or CCSIDs or any other CSIDs).

idaoud · November 25, 2025, 12:23pm

Dear @shiyaf_texol

Kindly be informed that the system works as expected. No need to share any further posts for the same queries. Additionally, your elaboration to provide the requested information on this post Clarification Regarding “invalid-digital-signature” signed with different private key Warning - Signing process - Fatoora Developer Community is highly recommended to allow our technical team to provide the usual comprehensive support.

Thanks,
Ibrahem Daoud.

SP_VoM · November 26, 2025, 10:43am

This usually happens when the certificate used in Simulation is not the same one required for Production (Live) onboarding.
Although the XML and signing process may be identical, the certificates are not interchangeable between Simulation and Live environments.

Why Simulation Works but Live Fails

Simulation allows you to use simulation-issued CSIDs/PCSID-hosted keys, and it does not validate them against your actual VAT (TIN) registration.
Live mode, however:

Verifies that the signing certificate (CCSID/PCSID) is issued for your real VAT number.
Validates the digital signature against the certificate installed on your production device.
Enforces strict certificate chain requirements.

Because of that, any of the below will trigger:

invalid-signing-certificate
invalid-digital-signature

Common Causes

Using the Simulation CSID/Certificate in Production
You must generate a new CSR from your production device and activate it using the Live onboarding APIs.
CSR created with wrong TIN or Organization Identifier
The OrganizationIdentifier in the CSR must match your VAT registration number in the exact required format:
```
SA<TIN>
```
Wrong private key / certificate pair being used for signing
If the signature is created using a different private key than the one linked to the activated CSID, you’ll get invalid-digital-signature.
Certificate not properly installed on the device
ZATCA checks device identity. A mismatch between the machine CSR and the signing certificate causes failure.

Quick Checks You Can Do

Confirm you activated a Live device, not simulation.
Verify the certificate subject contains your VAT number.
Re-sign the invoice using the newly activated Live certificate’s private key.
Inspect the DigestValue and SignatureValue to ensure they correspond to the same keypair.

Recommended Fix

Regenerate a new CSR from your production environment → Activate it via the Live “Onboarding Compliance” → Use the returned CCSID/PCSID certificate for all Live invoice signing.

shiyaf_texol · November 26, 2025, 11:15am

We are using Production CSID only, everything was working perfectly till last week.
This is after some update from Zatca side.

For understanding whether the issue is our system or not, atleast we should be able to get the same error in Simulation or Development. But both are still working.

mojtaba · November 27, 2025, 8:54am

anyone was able to resolve the issue?

shiyaf_texol · November 27, 2025, 8:56am

Also, this issue is only for Simplified Invoices and not Standard in Production

mojtaba · November 27, 2025, 10:36am

same case here my friend

AymanBouik · November 30, 2025, 8:34am

We are facing the same issue. When sending an onboarding B2C invoice, we receive the error code “invalid-digital-signature.”

Majd_Alawadi · November 30, 2025, 1:49pm

The issue has now been resolved. Please try again and let us know if you experience any issue.

Majd_Alawadi · November 30, 2025, 2:11pm

The issue has been resolved. Please try again and inform us if you experience any further issues.

Topic		Replies	Views
While onboarding - getting invalid digital sign for compliance check Onboarding, renewal and revocation	16	334	December 2, 2025
Simulation Invoice API error-X509Certificate (CCSID / PCSID) used for signing is not valid certificate (CCSID / PCSID) for this VAT Registration Number Signing process	5	256	March 31, 2025
The compliance certificate is not done with the following compliance steps yet Clearance and Reporting	69	2476	October 13, 2025
Simulation Portal Getting warning code: 'invalid-digital-signature" and "category":"SIGNATURE_ERRORS"' FATOORA portal and Simulation portal	8	269	October 27, 2025
Reporting api gives this error Clearance and Reporting	7	199	January 21, 2025

Getting error for compliance check in Live but not for Simulation

Why Simulation Works but Live Fails

Common Causes

Quick Checks You Can Do

Recommended Fix

Related topics