Invalid CSR when i try second API

General
1

I have encountered an error while using the API at this endpoint: https://gw-fatoora.zatca.gov.sa/e-invoicing/simulation/compliance. The error message returned was “Invalid CSR.” However, I successfully generated a CSR for the first endpoint and have removed everything related to the CSR. I have tested all requests using the demo API to generate the CSR:

Request:

{
  "subjectDn": "C=SA, O=vision, OU=Riyad Branch, CN=1-TST|2-TST|3-ed22f1d8-e6a2-1118-9b58-d9a8f11e445f",
  "deviceSerialNumber": "EGS-1234567890"
}

Response:

{
  "success": true,
  "message": "CSR generated successfully",
  "csrPem": "-----BEGIN CERTIFICATE REQUEST-----\r\nMIIBLDCB1AIBADByMQswCQYDVQQGEwJTQTEPMA0GA1UECgwGdmlzaW9uMRUwEwYD\r\nVQQLDAxSaXlhZCBCcmFuY2gxOzA5BgNVBAMMMjEtVFNUfDItVFNUfDMtZWQyMmYx\r\nZDgtZTZhMi0xMTE4LTliNTgtZDlhOGYxMWU0NDVmMFkwEwYHKoZIzj0CAQYIKoZI\r\nzj0DAQcDQgAElPoXx0lWFjVTqSPmNVum9P1YHcR0r6XQvYPeqRQMfrHHYVJdL6Dr\r\nl2u3e/9T0hc0LEwYqy6VQbhzqXyumYuNdaAAMAoGCCqGSM49BAMCA0cAMEQCIAUz\r\nT5KihdeIlbz/NcGwkOyquZmhujhVn3T4Cfyt85BlAiAT0yvH5d00arNN2T9nhHov\r\n1qkQCJWVN+2xGsb46y2f+g==\r\n-----END CERTIFICATE REQUEST-----\r\n",
  "privateKeyFileName": "EGS-1234567890",
  "subjectDn": "C=SA, O=vision, OU=Riyad Branch, CN=1-TST|2-TST|3-ed22f1d8-e6a2-1118-9b58-d9a8f11e445f",
  "publicKeyBase64": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAElPoXx0lWFjVTqSPmNVum9P1YHcR0r6XQvYPeqRQMfrHHYVJdL6Drl2u3e/9T0hc0LEwYqy6VQbhzqXyumYuNdQ==",
  "timestamp": "2025-11-02T21:08:08.305982500+02:00[Africa/Cairo]",
  "nextStep": "Use this CSR to request Compliance CSID (Step 2)"
}

Then, I made a request to the second endpoint:

Request:

{
  "csrPem": "-----BEGIN CERTIFICATE REQUEST-----\r\nMIIBLDCB1AIBADByMQswCQYDVQQGEwJTQTEPMA0GA1UECgwGdmlzaW9uMRUwEwYD\r\nVQQLDAxSaXlhZCBCcmFuY2gxOzA5BgNVBAMMMjEtVFNUfDItVFNUfDMtZWQyMmYx\r\nZDgtZTZhMi0xMTE4LTliNTgtZDlhOGYxMWU0NDVmMFkwEwYHKoZIzj0CAQYIKoZI\r\nzj0DAQcDQgAElPoXx0lWFjVTqSPmNVum9P1YHcR0r6XQvYPeqRQMfrHHYVJdL6Dr\r\nl2u3e/9T0hc0LEwYqy6VQbhzqXyumYuNdQ==\r\n-----END CERTIFICATE REQUEST-----\r\n",
  "otp": "123345", // Replace with the actual OTP from ZATCA
  "production": false, // Set to false for simulation environment
  "deviceSerialNumber": "EGS-1234567890"
}

Response:

{
  "success": true,
  "message": "Compliance CSID received successfully",
  "requestId": null,
  "binarySecurityToken": null,
  "secret": null,
  "certificateFileName": "EGS-1234567890_compliance",
  "rawResponse": null,
  "timestamp": "2025-11-02T21:09:54.093332+02:00[Africa/Cairo]",
  "nextStep": "Use this Certificate and Secret for Compliance Check (Step 3)"
}

However, I received an error message from ZATCA’s API:

Error Response:

{
  "errorCode": "400",
  "errorCategory": "Invalid-CSR",
  "errorMessage": "The provided Certificate Signing Request (CSR) is invalid."
}

Please note that I entered demo data and an incorrect OTP, but I still received an “Invalid CSR” error.

Can anyone advise on what could be the issue?