Invalid CSR for simulation

I am following all the steps for generating Base64 CSR using openssl. I have tried making many changes to the car_config.txt and still get Invalid CSR.
oid_section = OIDs
[OIDs]
certificateTemplateName = 1.3.6.1.4.1.311.20.2
[req]
default_bits = 2048
emailAddress = nkishore@xxxxx.xxx
req_extensions = v3_req
prompt = no
default_md = sha256
distinguished_name = dn
[dn]
C = SA
OU = Riyadh
O = My Organization
CN = PREZATCA-Code-Signing
[v3_req]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment
subjectAltName = dirName:alt_names
certificateTemplateName = ASN1:PRINTABLESTRING:PREZATCA-Code-Signing
[alt_names]
SN = 1-TenderCare|2-Model123|3-ed22f1d8e6a211189b58d9a8f11e445f
UID = 310000000000003
title = 0100
registeredAddress = Riyadh
businessCategory = Healthcare

I have used actual organization name and TRN but I still keep getting Invalid CSR. What am I doing wrong?

Dear @naval

Thanks for reaching out, Welcome to our community.

To provide comprehensive support as usual, can I kindly ask you to mention all the steps that you followed from the beginning, Additionally, Providing screenshots will be more helpful for our investigation.

Thanks,
Ibrahem Daoud.

Dear Ibrahem,

Thank you so much for your prompt response.

I used the attached csr_config.txt and the attached Powershell script (from Microsoft).

As this did not work, I generated manually, using the following commands:

• openssl ecparam -name secp256k1 -genkey -noout -out privatekey.pem

Alternative

• openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out privatekey.pem
  Then

• openssl ec -in privatekey.pem -pubout -conv_form compressed -out publickey.pem

• openssl req -new -sha256 -key privatekey.pem -extensions v3_req -config csr_config.txt -out taxpayer.csr

• openssl base64 -in taxpayer.csr -out taxpayerCSRbase64Encoded.txt
  I then used the base64 encoded text in Swagger on the dev portal and received error: can’t parse json

I posted through Postman, setting all the headers including v2 and the OTP. The error was: Invalid CSR.

Your assistance to resolve this is greatly appreciated.

Thank you and best regards,
Naval

From “Ibrahem Daoud via Fatoora Developer Community” <notifications@zatca1.discoursemail.com>
To “Dr. N. Kishore” <nkishore@tendercare.me>
Date 01/03/2025 2:30:39 PM
Subject [Fatoora Developer Community] [FATOORA portal and Simulation portal] Invalid CSR for simulation

(Attachment zatca_script.ps1 is missing)

(Attachment csr_config.txt is missing)

Dear Ibrahem,

Thank you so much for your prompt response.

I used the csr_config.txt I posted previously and the Powershell script from Microsoft

The powershell script gave Invalid CSR, so I generated manually, using the following commands:

• openssl ecparam -name secp256k1 -genkey -noout -out privatekey.pem

Alternative

• openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out privatekey.pem
  Then

• openssl ec -in privatekey.pem -pubout -conv_form compressed -out publickey.pem

• openssl req -new -sha256 -key privatekey.pem -extensions v3_req -config csr_config.txt -out taxpayer.csr

• openssl base64 -in taxpayer.csr -out taxpayerCSRbase64Encoded.txt
  I then used the base64 encoded text in Swagger on the dev portal and received error: can’t parse json

I posted through Postman, setting all the headers including v2 and the OTP. The error was: Invalid CSR.

Your assistance to resolve this is greatly appreciated.

Thank you and best regards,
Naval

Morning @naval

I hope you are doing well,

Please try to use the below commands and let me know if it’s works:

1- Create private key

openssl ecparam -name secp256k1 -genkey -noout -out ec-secp256k1-priv-key.pem

2- Create public key

openssl ec -in ec-secp256k1-priv-key.pem -pubout > ec-secp256k1-pub-key.pem

3- Create CSR

openssl req -new -sha256 -key ec-secp256k1-priv-key.pem -extensions v3_req -config config.cnf -out my.csr

Thanks,
Ibrahem Daoud.

Good morning and thank you for your support.

I had used secp256k1 earlier and have done so again, following the steps given by you.

Do I need to encode the CSR to base64? My results are as below:

Without base64 encoding:

• Swagger: can’t parse json
• Postman: Invalid CSR: PKCS10csr is invalid or empty

With base64 encoding (openssl base64 -in my.csr -out myCSRbase64Encoded.txt — then remove all line breaks and spaces)

• Swagger: can’t parse json
• Postman: The provided Certificate Signing Request (CSR) is invalid.

For Swagger I am using the dev portal and for Postman I am using the urls: gw-fatoora.zatca.gov.sa/e-invoicing/core/compliance and gw-fatoora.zatca.gov.sa/e-invoicing/developer-portal/compliance

-----BEGIN CERTIFICATE REQUEST——
MIICMjCCAdgCAQAwYzELMAkGA1UEBhMCU0ExDzANBgNVBAsMBlJpeWFkaDEjMCEG
A1UECgwaUmFuYSBTaGFoYWIgTWVkaWNhbCBDZW50ZXIxHjAcBgNVBAMMFVBSRVpB
VENBLUNvZGUtU2lnbmluZzBWMBAGByqGSM49AgEGBSuBBAAKA0IABLA9bOdPte0y
L2++jLhjBKnZPG7N58FAllg8y7+9WqJeb05s4YKLYz13KRNNUR0+WzykOLS/HgyU
BgKFUGN2kyKgggEUMIIBEAYJKoZIhvcNAQkOMYIBATCB/jAJBgNVHRMEAjAAMAsG
A1UdDwQEAwIF4DCBvQYDVR0RBIG1MIGypIGvMIGsMUMwQQYDVQQEDDoxLVRlbmRl
ckNhcmV8Mi1Nb2RlbDEyM3wzLWVkMjJmMWQ4ZTZhMjExMTg5YjU4ZDlhOGYxMWU0
NDVmMR8wHQYKCZImiZPyLGQBAQwPMzEwMDUwMTkwMjAwMDAzMQ0wCwYDVQQMDAQw
MTAwMSAwHgYDVQQaDBdEZXJtYXRpcXVlLCBSaXlhZGgsIEtTQTETMBEGA1UEDwwK
SGVhbHRoY2FyZTAkBgkrBgEEAYI3FAIEFxMVUFJFWkFUQ0EtQ29kZS1TaWduaW5n
MAoGCCqGSM49BAMCA0gAMEUCIQDHu6ve1n/SniG9ZaeFeWWsIhvonxdoCO5BwQqi
bt2Y8AIgN5rlwCHz1bV4jfVULhIRdN6jI2Kanjd1T/neZvCI/20=
-----END CERTIFICATE REQUEST-----

Encoded: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ01qQ0NBZGdDQVFBd1l6RUxNQWtHQTFVRUJoTUNVMEV4RHpBTkJnTlZCQXNNQmxKcGVXRmthREVqTUNFRwpBMVVFQ2d3YVVtRnVZU0JUYUdGb1lXSWdUV1ZrYVdOaGJDQkRaVzUwWlhJeEhqQWNCZ05WQkFNTUZWQlNSVnBCClZFTkJMVU52WkdVdFUybG5ibWx1WnpCV01CQUdCeXFHU000OUFnRUdCU3VCQkFBS0EwSUFCTEE5Yk9kUHRlMHkKTDIrK2pMaGpCS25aUEc3TjU4RkFsbGc4eTcrOVdxSmViMDVzNFlLTFl6MTNLUk5OVVIwK1d6eWtPTFMvSGd5VQpCZ0tGVUdOMmt5S2dnZ0VVTUlJQkVBWUpLb1pJaHZjTkFRa09NWUlCQVRDQi9qQUpCZ05WSFJNRUFqQUFNQXNHCkExVWREd1FFQXdJRjREQ0J2UVlEVlIwUkJJRzFNSUd5cElHdk1JR3NNVU13UVFZRFZRUUVERG94TFZSbGJtUmwKY2tOaGNtVjhNaTFOYjJSbGJERXlNM3d6TFdWa01qSm1NV1E0WlRaaE1qRXhNVGc1WWpVNFpEbGhPR1l4TVdVMApORFZtTVI4d0hRWUtDWkltaVpQeUxHUUJBUXdQTXpFd01EVXdNVGt3TWpBd01EQXpNUTB3Q3dZRFZRUU1EQVF3Ck1UQXdNU0F3SGdZRFZRUWFEQmRFWlhKdFlYUnBjWFZsTENCU2FYbGhaR2dzSUV0VFFURVRNQkVHQTFVRUR3d0sKU0dWaGJIUm9ZMkZ5WlRBa0Jna3JCZ0VFQVlJM0ZBSUVGeE1WVUZKRldrRlVRMEV0UTI5a1pTMVRhV2R1YVc1bgpNQW9HQ0NxR1NNNDlCQU1DQTBnQU1FVUNJUURIdTZ2ZTFuL1NuaUc5WmFlRmVXV3NJaHZvbnhkb0NPNUJ3UXFpCmJ0Mlk4QUlnTjVybHdDSHoxYlY0amZWVUxoSVJkTjZqSTJLYW5qZDFUL25lWnZDSS8yMD0KLS0tLS1FTkQgQ0VSVElGSUNBVEUgUkVRVUVTVC0tLS0tCg==

Your help is greatly appreciated.

Best regards,
Naval

Dear @naval

Can I kindly ask you to share your full concerns to our technical support team via below mail, to schedule one to one meeting if needed.

SP mail: sp_support@zatca.gov.sa

Thanks,
Ibrahme Daoud.

@naval change default_md = sha256 to (default_md = sha 256 )
add (req_extensions = req_ext) below it .
add ( [req_ext] ) before (subjectAltName = dirName:alt_names)
and then generate csr again .

Thanks for reaching out. I made the changes you suggested:
[req]
default_bits = 2048
default_md = sha 256
req_extensions = req_ext
prompt = no
distinguished_name = dn
req_extensions = v3_req

[v3_req]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment

[req_ext]
subjectAltName = dirName:alt_names
certificateTemplateName = ASN1:PRINTABLESTRING:PREZATCA-Code-Signing

Then I generated CSR again, encoded to base64 with openssl base64 -in my.csr -out myCSRbase64Encoded.txt, removed the line-breaks and spaces and am still getting Invalid CSR when I submit.

I really can’t figure out what is wrong. Any help would be gratefully appreciated. Thanks.

From “Baha Eddine via Fatoora Developer Community” <notifications@zatca1.discoursemail.com>
To “Dr. N. Kishore” <nkishore@tendercare.me>
Date 03/03/2025 11:53:43 AM
Subject [Fatoora Developer Community] [FATOORA portal and Simulation portal] Invalid CSR for simulation

@naval copy this config file .
oid_section = OIDs
[OIDs]
certificateTemplateName = 1.3.6.1.4.1.311.20.2
[req]
default_bits = 2048
emailAddress = {email}
req_extensions = v3_req
x509_extensions = v3_ca
prompt = no
default_md = sha 256
req_extensions = req_ext
distinguished_name = dn
[dn]
C={c}
OU={ou}
O={o}
CN={cn}
[v3_req]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment
[req_ext]
certificateTemplateName = {certificate_template}
subjectAltName = dirName:alt_names
[alt_names]
SN={sn}
UID={uid}
title={title}
registeredAddress= {address}
businessCategory={category}

Thank you so much. It worked!