Invalid-CSR when generating Simulation Compliance CSID

General
1

Hello ZATCA Support Team,

We are currently integrating our invoicing system for our company asas alhuwiyah Company (VAT Number: 314227592900003) in the Simulation Environment, and we’re consistently receiving the following error when submitting the CSR to the compliance API:

{
“errorCode”: “400”,
“errorCategory”: “Invalid-CSR”,
“errorMessage”: “The provided Certificate Signing Request (CSR) is invalid.”
}

Environment Details:
Environment: Simulation
Endpoint: https://gw-fatoora.zatca.gov.sa/e-invoicing/simulation/compliance
Method: POST
Headers:
Accept-Version: V2
Content-Type: application/json; charset=UTF-8
Accept-Language: EN
OTP: [valid OTP from simulation portal]
CSR format: Base64 (without BEGIN/END lines)

CSR Configuration:
oid_section = OIDs

[ OIDs ]
CertificateTemplateNameASN1 = 1.3.6.1.4.1.311.20.2

[ req ]
default_bits = 2048
prompt = no
default_md = sha256
distinguished_name = dn
req_extensions = v3_req

[ dn ]
C = SA
ST = Riyadh
L = Riyadh
O = asas alhuwiyah Company
OU = 7a948012-b051-4b84-a26d-01cad94fa282
CN = e-invoice-7a948012-b051-4b84-a26d-01cad94fa282-314227592900003
emailAddress = info@idasas.com

[ v3_req ]
1.3.6.1.4.1.311.20.2 = ASN1:PRINTABLESTRING:PREZATCA-Code-Signing

Command used:
openssl req -new -newkey rsa:2048 -nodes -keyout private-key.pem -out request.csr -config zatca.cnf

We verified the following:

  • CSR passes online validation (no ASN.1 errors)
  • OTP is valid and generated from simulation portal
  • Request headers follow ZATCA API documentation
  • Tried both Arabic and English company names
  • Tried with and without the custom OID 1.3.6.1.4.1.311.20.2

Problem:
Despite multiple correct CSR attempts, we always receive:
“errorCategory”: “Invalid-CSR”

Possible causes:

  • Format or encoding expectations for CN/OU
  • Case sensitivity in organization name
  • Mismatch between registered company name and CSR
  • Simulation environment rule related to PREZATCA-Code-Signing

Request:
Could you please confirm whether the CSR format above matches ZATCA Simulation requirements, and clarify the expected structure (mandatory fields, max lengths, encoding, or naming rules) for a valid Simulation CSR?

We’re ready to provide the .csr file and request logs if needed.

Best regards,
J.A.
Idasas (asas alhuwiyah Company)
info@idasas.com

2

Dear gamalgxg,

This error occurs due to a mistake in generating your CSR for simulation. Please follow these steps to fix it:

Generate a Certificate Signing Request (CSR):

· Ensure considering simulation requirements:

o OpenSSL: Set CertificateTemplateNameASN1 in “CNF” configuration file to PRINTABLESTRING:PREZATCA-Code-Signing

o SDK Command: Include -sim before the command for generating the CSR if you are using SDK for CSR generation.

2. Ensure using the right endpoints for “simulation,” which can be found in Fatoora portal user manual

3. Re-do the same process with a new “OTP” obtained from the Fatoora “simulation portal

Although a simulation replicates the production environment, it remains a distinct setting; therefore, include simulation requirements when preparing the CSR.

Please let us know when the issue is resolved. If you need any more information, please don’t hesitate to contact us.