I am getting CERTIFICATE_SIGNATURE_QRCODE_INVALID. Please let me know how to resolve this error.

[priteshqualitycode]

[0] => stdClass Object
(
[type] => ERROR
[code] => CERTIFICATE_SIGNATURE_QRCODE_INVALID
[category] => QRCODE_VALIDATION
[message] => certificate signature does not match with qr certificate signature value
[status] => ERROR
)

[sulaman0]

Did you find any solution? @priteshqualitycode

[sulaman0]

Hi @nadyshalaby,
I am trying with production urls & when i am trying to calling compliance/invoices API i am getting this error

[code] => signed-properties-hashing
[category] => CERTIFICATE_ERRORS
[message] => Invalid signed properties hashing, SignedProperties with id='xadesSignedProperties'

by the way it's working in sandbox account.

[sulaman0]

@priteshqualitycode do you've any idea?

[nadyshalaby]

did you claim the real keys private key and csr from ZATCA first instead of generating fake ones each time.

// New Keys & CSR for the EGS
list($private_key, $csr) = $egs->generateNewKeysAndCSR('Qr');

If not you should refer back to them to see if you are eligible to phase 2 or not and grap your own keys.

[sulaman0]

Thank you for your response, @nadyshalaby.

No, I haven't obtained the PrivateKey and CSR from ZATCA. Instead, I generated my own and called the endpoint https://gw-fatoora.zatca.gov.sa/e-invoicing/core/compliance, which returned a Secret and BinarySecurityToken. However, the endpoint https://gw-fatoora.zatca.gov.sa/e-invoicing/core/compliance/invoices is returning...

[code] => signed-properties-hashing
[category] => CERTIFICATE_ERRORS
[message] => Invalid signed properties hashing, SignedProperties with id='xadesSignedProperties'

[mostafahosny138]

@sulaman0
i have same problem
Did you solve this error ?

[code] => signed-properties-hashing
[category] => CERTIFICATE_ERRORS
[message] => Invalid signed properties hashing, SignedProperties with id='xadesSignedProperties'

[nadyshalaby]

When you go live with the ZATCA (Zakat, Tax and Customs Authority) Phase 2 requirements in Saudi Arabia, you'll need to obtain the Certificate Signing Request (CSR) and private key from a trusted Certificate Authority (CA) approved by ZATCA. Here's how you can obtain these:

1. Certificate Authority (CA):

   • You need to choose an approved CA that ZATCA recognizes. Some of the commonly recognized CAs include DigiCert, Entrust, GlobalSign, etc.
   • You’ll typically go through a verification process with the CA, which may involve providing your business documents and other identification details.

2. Generating CSR and Private Key:

   • You can generate the CSR and private key yourself using tools like OpenSSL, Keytool, or through a portal provided by the CA.
   • When generating the CSR, you’ll need to include specific information like your business name, address, and the domain you’re securing.
   • The private key should be securely stored as it is not shared with the CA; only the CSR is submitted.

3. Obtaining the Certificates:

   • Once your CSR is submitted and validated by the CA, they will issue your digital certificate.
   • The CA will provide you with the public certificate that corresponds to your private key. This certificate is what you will use to sign your e-invoices as per ZATCA’s guidelines.

4. Storing and Managing Keys:

   • Once you have the private key and certificate, ensure that they are securely stored, preferably in a hardware security module (HSM) or a secure key management system.
   • The private key should be protected because if it is compromised, your digital signature can be misused.

5. Integration with Your System:

   • Finally, integrate the private key and certificate with your invoicing software, ensuring it meets ZATCA’s requirements for secure and compliant electronic invoicing.

If you need further assistance with this process or require a more detailed guide on integrating the keys into your invoicing system, feel free to ask!

[nadyshalaby]

Let's walk through an example of how to obtain and use a CSR (Certificate Signing Request) and private key for ZATCA Phase 2, assuming you're preparing to go live.

Step 1: Generate a CSR and Private Key

Suppose you're using OpenSSL, a popular tool for generating CSR and private keys. Here’s how you can do it:

1.1. Generate a Private Key

openssl genpkey -algorithm RSA -out privatekey.pem -pkeyopt rsa_keygen_bits:2048

• This command generates a 2048-bit RSA private key and saves it in a file called privatekey.pem.

1.2. Generate a CSR

openssl req -new -key privatekey.pem -out request.csr

• This command generates a CSR based on your private key and saves it in a file called request.csr.
• You’ll be prompted to enter information such as your country, organization name, common name (usually your domain), etc.

Example of the information you might enter:

Country Name (2 letter code) [AU]:SA
State or Province Name (full name) [Some-State]:Riyadh
Locality Name (eg, city) []:Riyadh
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Your Company Name
Organizational Unit Name (eg, section) []:IT Department
Common Name (e.g. server FQDN or YOUR name) []:invoices.yourcompany.com
Email Address []:info@yourcompany.com

Step 2: Submit the CSR to a Certificate Authority (CA)

2.1. Choose a Trusted CA

• Choose a CA that is recognized by ZATCA (e.g., DigiCert, Entrust, GlobalSign).

2.2. Submit the CSR

• Most CAs have an online portal where you can submit your CSR file (request.csr).
• The CA will verify your details, which may involve some validation steps such as providing business registration documents.

Step 3: Obtain the Certificate from the CA

• After the CA has validated your request, they will issue a digital certificate.
• This certificate will be a .crt or .cer file that matches your CSR.
• Download this certificate and store it securely along with your private key (privatekey.pem).

Step 4: Use the Certificate and Private Key in Your Invoicing System

Suppose you’re integrating these into a system that will sign electronic invoices before submission to ZATCA.

4.1. Secure Storage

• Store your privatekey.pem in a secure environment, such as a hardware security module (HSM) or a key management service.
• Your certificate should also be stored securely, typically alongside the private key but protected against unauthorized access.

4.2. Integrate with Invoicing Software

• Update your invoicing software configuration to use the certificate and private key for signing the invoices.
• Here’s an example of how this might look in a configuration file:

{
  "invoice_signing_key": "/path/to/privatekey.pem",
  "certificate": "/path/to/certificate.crt",
  "invoice_endpoint": "https://api.zatca.gov.sa/einvoice"
}

4.3. Sign the Invoice

• When you create an invoice, your software will use the private key to sign it digitally.
• The signed invoice is then sent to ZATCA’s API for compliance checks and storage.

Example Workflow in Code (Pseudo-code)

from cryptography.hazmat.primitives.asymmetric import rsa
from cryptography.hazmat.primitives import serialization, hashes
from cryptography.hazmat.primitives.asymmetric import padding

# Load private key
with open("privatekey.pem", "rb") as key_file:
    private_key = serialization.load_pem_private_key(
        key_file.read(),
        password=None,
    )

# Load your certificate
with open("certificate.crt", "rb") as cert_file:
    certificate = cert_file.read()

# Sample data to sign (an invoice)
invoice_data = b"Invoice #12345, Amount: 1000 SAR"

# Sign the invoice data
signature = private_key.sign(
    invoice_data,
    padding.PKCS1v15(),
    hashes.SHA256()
)

# Attach the signature to the invoice and send to ZATCA
send_to_zatca(invoice_data, signature, certificate)

In this example, your invoice data is signed using your private key, ensuring its authenticity and integrity. The signed invoice, along with your certificate, is then sent to ZATCA.

Step 5: Going Live

• When you're ready to go live, replace any test or self-signed certificates with the actual certificate issued by the CA.
• Ensure that your private key and certificate are correctly integrated and that your invoices are being signed and sent to ZATCA according to the regulations.

[mostafahosny138]

hello @nadyshalaby
i go with https://cert4sign.com/
and get all these files

• csr
• private_key
• public_key
• Certificate.cer
• CSID
• PCSID

i download all these files after register on cert4sign.com as simulation and use these files on project
but still have problem when I call simulation portal to check the invoice

https://gw-fatoora.zatca.gov.sa/e-invoicing/simulation/compliance/invoices

this is warningMessages

"warningMessages": [
{
"type": "WARNING",
"code": "certificate-issuer-name",
"category": "CERTIFICATE_ERRORS",
"message": "X509Certificate (CCSID / PCSID) used for signing is not valid certificate (CCSID / PCSID) for this VAT Registration Number.",
"status": "WARNING"
}
],

this is errorMessages

"errorMessages": [
{
"type": "ERROR",
"code": "signed-properties-hashing",
"category": "CERTIFICATE_ERRORS",
"message": "Invalid signed properties hashing, SignedProperties with id='xadesSignedProperties'",
"status": "ERROR"
}
],

[mostafahosny138]

i want to mention that when i submit Standard invoice every this is ok
but the problem and these errors are now with Simplified invoice

[nadyshalaby]

It looks like you're facing two key issues with your certificate and signature validation when interacting with the ZATCA simulation portal. Let's break down the problems and possible solutions:

1. Warning: "certificate-issuer-name"

• Message: "X509Certificate (CCSID / PCSID) used for signing is not valid certificate (CCSID / PCSID) for this VAT Registration Number."
• Cause: This warning is indicating that the certificate issuer (CCSID/PCSID) doesn’t match the expected certificate issuer for your VAT registration number. It suggests a mismatch between the certificate used for signing and the VAT registration number associated with it.

Possible Solutions:

• Check VAT Registration Number: Ensure that the VAT registration number registered with cert4sign.com matches the one being used in your invoices.
• Verify the Certificate: Double-check if the certificate you received from cert4sign.com is valid and tied to your specific VAT number. It’s possible that the certificate was issued for a different VAT number or has issues with the issuer details.
• Issuer Mismatch: The certificate might have been issued by an issuer that ZATCA doesn't fully recognize or was improperly generated.

You may need to contact cert4sign.com or ZATCA for further clarification on why the certificate's issuer information is being flagged.

2. Error: "signed-properties-hashing"

• Message: "Invalid signed properties hashing, SignedProperties with id='xadesSignedProperties'"
• Cause: This error relates to the XAdES (XML Advanced Electronic Signatures) signed properties. Specifically, the hashing of the signed properties seems to be invalid, meaning that when the hash of the signed data is computed, it does not match what ZATCA expects.

Possible Solutions:

• Check the XAdES Signing Process: Ensure that the XAdES signature generation in your system is correctly implemented. This involves proper hashing of the signed properties according to the ZATCA guidelines. The SignedProperties element, which contains metadata like timestamps and certificate references, needs to be properly included in the signature and correctly hashed.
• Validate the Hashing Algorithm: Verify that the hashing algorithm you're using for signing matches the one required by ZATCA. They typically use SHA-256 for hashing.
• Ensure Proper ID Referencing: The error mentions SignedProperties with id='xadesSignedProperties'. Make sure that this ID is correctly referenced in your signature and that it is properly hashed and included in the signed document.

Steps to Debug:

1. Double-check the CSR and Certificate Details:

   • Ensure the VAT registration number and other details are correctly provided during certificate issuance.
   • Make sure the right certificates are used when signing the invoice.

2. Review the Signing Process:

   • Inspect your XAdES signature generation code to ensure it follows ZATCA’s e-invoicing guidelines.
   • Validate the signature with an external tool to confirm that the SignedProperties element is correctly hashed and signed.

3. ZATCA Compliance Guidelines:

   • Review the latest ZATCA e-Invoicing Guidelines to ensure that your system is following all compliance rules, especially in terms of hashing and signing with XAdES.

If the problem persists, you may need to reach out to cert4sign.com or ZATCA for more specific troubleshooting based on the error codes you're receiving.