Zakat, Tax and Customs Authority (ZATCA) has announced phase II of e-invoicing in the Kingdom of Saudi Arabia (KSA). Also, it has published the process flow for onboarding a compliant e-invoice generation solution unit (EGS unit). Certificate Signing Request (CSR) is one of the mandatory requirements in the onboarding process.
This article explains all about CSR.
Latest Updates
CSR is required in the process of obtaining a Cryptographic Stamp Identifier (CSID) for a device/ EGS unit. CSID is used to uniquely identify an EGS unit associated with a taxpayer for the purpose of stamping (technically cryptographically signing) Simplified Invoices (B2C) and for accessing the Reporting and Clearance APIs.
A CSR includes information such as common name, organization, Value Added Tax (VAT) number, country, etc. The ZATCA Certificate Authority (CA) will use these details while creating a CSID. It also contains the public key that will be included in your CSID and is signed with the corresponding private key.
You must submit CSR from the EGS unit as part of the first-time onboarding of the device or during the renewal of a device. Your EGS unit must submit CSR to the e-invoicing platform after entering the OTP. The CSR is an encoded text that the EGS units submit to the e-invoicing platform and the ZATCA CA.
CSID links the EGS unit and a trusted third party such as ClearTax, which helps in confirming the seller’s identity and the respective EGS unit. However, a compliance CSID is used by the EGS to call the compliance APIs and perform compliance checks.
You have to specifically add the compliance CSID as a request header when calling the required APIs. The compliance CSID is generated by the e-invoicing platform and used only to ensure the compliance of the EGS units with ZATCA specifications.
As per the ZATCA‘s onboarding process, you must submit the CSR to get a compliance CSID.
The following are the inputs required for CSR:
Required Inputs | Description | Specification |
Common name | You have to provide either name or asset tracking number for the device/ EGS unit. | Free text |
EGS serial number | You have to submit the – Manufacturer/ EGS provider name – Model/version – Serial number You shall not fill the unique identification code of the EGS, but it shall be automatically filled. | Free text |
Organization identifier | You have to provide the VAT Registration number. t is important to verify whether the OTP is associated with it or not. | 15 digits, starting and ending with 3 |
Organization unit name | You must give the branch name. Also, in case you are a VAT group, you must provide the 10-digit TIN number of the individual group members whose EGS unit is being onboarded. | If the 11th digit of the organization identifier is not 1, then free text. If the 11th digit of the organization identifier is 1, then it needs to be a 10-digit number. |
Organization name | You shall mention your name or the organization’s name. | Free text |
Country name | You have to mention the country name. | Two-letter code (ISO 3166 Alpha-2) |
Invoice type(functionality map) | You shall mention the document type your EGS unit will issue/generate. It can be one or a combination of standard tax Invoices (T), simplified tax invoices (S), (X), or (Y). Also, the input should be using the digits 0 & 1 and mapping those to “TSXY,” where: 0 means False/not supported1 means True/supported (X) and (Y) are for future use, and the device should be set to 0 by default for the time being. For example, 1000 would mean the EGS unit will be generating standard tax invoices only, and 0100 would mean the EGS unit will be generating simplified tax invoices only.1100 means the EGS unit will generate both standard and simplified tax invoices | 4-digit binary number (It sh0s and1s only, cannot all be 0s) |
Location | You have to give the branch address or location where the device or EGS unit is primarily situated. This field could be a website address for an e-commerce business. | Free Text |
Industry | You have to provide the industry or sector for which the device or EGS unit generates the invoices. | Free Text |
All CSR fields are mandatory, and the input must follow the specification; otherwise, a CSR could be rejected.
Once the OTP has been entered into your EGS unit, either by the manual or automated process; the CSR process is initiated as per the below steps:
The following are the possible errors that can occur while submitting a CSR: