Issue with X509IssuerName and X509SerialNumber in ZATCA Simplified XML Validation

XML and business rules
1

@Ankit_Tiwari @idaoud @saalotaibi
I am using the zatca.cnf configuration file from the official ZATCA documentation to generate a CSR and request a compliance certificate (PCSID) using the following OpenSSL commands:

zatca.cnf file content

oid_section = OIDs
[OIDs]
certificateTemplateName = 1.3.6.1.4.1.311.20.2
[req]
default_bits = 2048
emailAddress = abccompany@gmail.com
req_extensions = v3_req
x509_extensions = v3_ca
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn
[dn]
C = SA
OU = 3001111003
O = ABC COMPANY EST
CN = ABCCOM-1001-20250206-POS01
[v3_req]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment
[req_ext]
certificateTemplateName = ASN1:PRINTABLESTRING:PREZATCA-Code-Signing
subjectAltName = dirName:alt_names
[alt_names]
SN = 1-PQR Private Limited|2-Version 1.0|3-PQR-ABC10001-20250206
UID = 300111100300003
title = 1100
registeredAddress = EMDC1111
businessCategory = Food Stuff
  1. Generate private key:
openssl ecparam -name secp256k1 -genkey -noout -out privatekey.pem
  1. Generate CSR:
openssl req -new -sha256 -key privatekey.pem -extensions v3_req -config zatca.cnf -out taxpayer.csr

After obtaining the PCSID, I use it to sign invoices for submission via the ZATCA APIs:

  • Compliance API: https://gw-fatoora.zatca.gov.sa/e-invoicing/simulation/compliance
  • Invoice Submission API: https://gw-fatoora.zatca.gov.sa/e-invoicing/simulation/compliance/invoices
  • Production CSID API: https://gw-fatoora.zatca.gov.sa/e-invoicing/simulation/production/csids
  • Reporting API: https://gw-fatoora.zatca.gov.sa/e-invoicing/simulation/invoices/reporting/single
  • Clearance API: https://gw-fatoora.zatca.gov.sa/e-invoicing/simulation/invoices/clearance/single

Issue:

Although invoice submission is successful (200 OK with status REPORTED/CLEARED), the ZATCA TestXML tool (https://sandbox.zatca.gov.sa/TestXML) shows SIGNATURE_ERROR:

  • X509IssuerName: wrong X509IssuerName
  • X509SerialNumber: wrong X509SerialNumber

The issuer and serial number in my signed invoice are:

<xades:IssuerSerial>
    <ds:X509IssuerName>CN=PEZEINVOICESCA2-CA, DC=extgazt, DC=gov, DC=local</ds:X509IssuerName>
    <ds:X509SerialNumber>413714254586909904798156159693914687090744894</ds:X509SerialNumber>
</xades:IssuerSerial>

Whereas the ZATCA SDK sample shows:

<xades:IssuerSerial>
    <ds:X509IssuerName>CN=PRZEINVOICESCA4-CA, DC=extgazt, DC=gov, DC=local</ds:X509IssuerName>
    <ds:X509SerialNumber>379112742831380471835263969587287663520528387</ds:X509SerialNumber>
</xades:IssuerSerial>

Questions:

  1. Is there an issue with my zatca.cnf file?
  2. If API responses show no errors, can I proceed with my certificate?
  3. Why does the TestXML tool flag this as an error?

Would appreciate any insights!

2

Dear @arjun_tech24

Thanks for reaching out & welcome to the community.

This error happens during signing process

You can follow the below steps to solve your problem:
1-After submitting the Certificate Signing Request (CSR) via the Compliance Request CSID API, you will receive a BinaryToken and a secret.
2-Decode the BinaryToken using a base64 decoder. The decoded value will be the x.509 certificate.
3-Navigate to the SDK directory: SDK/Data/Certificates/Cert.pem.
4-Replace the contents of the Cert.pem file with the x.509 certificate obtained from the decoded BinaryToken.
5-Insert the newly generated private key into the ec-secp256k1-priv-key.pem file.
6-if you use JAVA SDK, run the following command: fatoora -sign -invoice “invoice.xml”.
else the .Net SDK, run the following command: fatooranet sign -invoice “invoice.xml”
7-The invoice will now be signed and can be successfully submitted during the compliance checks phase via the Compliance Invoice API.

Do the same steps with production CSID to sign and submit e invoices to the reporting APIs.

Thanks

1 Like
3

Thank you for your response. However,

My Current Process:

  1. Signing Steps: I have followed the signing process exactly as outlined in the official ZATCA documentation. Since my ERP system runs on PHP (not Java or .NET), I have developed a custom PHP tool for signing invoices. This tool adheres to all the required steps for signing, including the use of the correct certificate and private key.
  2. CSR and Certificate: I generated the CSR using the zatca.cnf configuration file and obtained the compliance certificate (PCSID) successfully. The API responses during invoice submission (Compliance API, Reporting API, etc.) do not show any errors or warnings related to the certificate, issuer name, or serial number.
  3. TestXML Tool Issue: Despite successful API submissions (with responses like 200 OK and statuses like REPORTED or CLEARED), the ZATCA TestXML tool (Zatca) flags the following errors:
  • X509IssuerName: Wrong X509IssuerName
  • X509SerialNumber: Wrong X509SerialNumber

My Key Question:

  1. Should I rely on the API responses or the TestXML tool?
    If the APIs accept the invoices without errors, can I consider my process valid, even if the TestXML tool shows discrepancies in X509IssuerName and X509SerialNumber?
4

Dear @arjun_tech24

We are glad that you are not facing any issues with the process, however as most common we highly recommend counting on the API responses.

Thank you.

1 Like
5

@saalotaibi
Thank you for your clarification and recommendation.