1. SuiteApps
  2. Saudi Arabia E-Invoicing
  3. Setting Up Saudi Arabia E-Invoicing
  4. Obtaining a Certificate Signing Request, Private Key, and Compliance Binary Security Token

Obtaining a Certificate Signing Request, Private Key, and Compliance Binary Security Token

This topic outlines how to obtain a Certificate Signing Request (CSR), private key, and Compliance Binary Security Token. This involves creating a plain text file and executing OpenSSL commands. To install OpenSSL, go to https://slproweb.com/products/Win32OpenSSL.html and download OpenSSL v3.0.13.

To obtain a CSR, private key, and compliance binary security token:

  1. Log in to NetSuite. Create a new Saudi Arabia E-Invoicing Configuration record by navigating to Setup > Saudi Arabia Localization > Saudi Arabia E-Invoicing Configuration. Click New Saudi Arabia E-Invoicing.

  2. Optionally, check Connect to Simulation Portal to use this record for testing purposes. This will connect to the Fatoora Simluation Portal (FSP). For example, sandbox accounts should use this option.

    Important:

    If the Connect to Simulation Portal option is selected, it cannot be changed for this record later. It will result in an error. To connect to the official Fatoora portal for invoice certification, inactivate the record and create a new record without the Connect to Simulation Portal option selected.

  3. Create a plain text configuration file. The file should be in the following format.

                    oid_section = OIDs
[OIDs]
certificateTemplateName = 1.3.6.1.4.1.311.20.2
[req]
default_bits = 2048
emailAddress = [Update as per step 4]
req_extensions = v3_req
x509_extensions = v3_ca
prompt = no
default_md = sha 256
req_extensions = req_ext
distinguished_name = dn
[dn]
C=SA
OU=[Update as per step 4]
O=[Update as per step 4]
CN=[Update as per step 4]
[v3_req]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment
[req_ext]
certificateTemplateName = ASN1:PRINTABLESTRING:ZATCA-Code-Signing
subjectAltName = dirName:alt_names
[alt_names]
SN=[Update as per step 4]
UID=[Update as per step 4]
title=1100
registeredAddress= [Update as per step 4]
businessCategory=[Update as per step 4]

  4. Update the following values.

    Code

    Description

    emailAddress

    The email address of the taxpayer.

    Ex: email@example.com

    OU

    The name of the organization unit.

    For normal taxpayers, the value is free text. For VAT groups, identify the value through the eleventh digit of the organization identifier being "1." Validate that the input is a 10-digit Tax Identification Number (TIN).

    O

    The name of the organization or taxpayer.

    Ex: Oracle NetSuite

    CN

    The unique name of the solution or unit.

    Ex: Oracle NetSuite Fusion EGS Unit

    certificateTemplateName

    (second instance)

    This value determines which portal the NetSuite configuration record is connected to.

    • For Fatoora production, use ASN1:PRINTABLESTRING:ZATCA-Code-Signing

    • For Fatoora Simulation Portal, use ASN1:PRINTABLESTRING:PREZATCA-Code-Signing

    SN

    The unique identification code for the solution.

    Manufacturer serial number for each solution unit including 1-Manufacturer or Solution Provider Name|2-Model or Version |3-SerialNumber.

    Ex: 1-ferrariworld|2-oracleNetsuite|3-12345678

    UID

    The VAT registration number of the taxpayer.

    Fifteen digits. This number begins with "3" and ends with "3."

    Ex: 312345678901233

    registeredAddress

    The primary address of the device.

    Ex: Oracle NetSuite, Riyadh, SA-123456

    businessCategory

    The primary industry the device will generate invoices for.

    Ex: Finance

  5. Save this file with the name csr_config.txt in the same location where OpenSSL commands will be executed.

  6. Run the following command to generate a private key. A privateKey.pem file will be created.

                    openssl ecparam -name prime256v1 -genkey -noout -out privateKey.pem

  7. Copy the contents of the privateKey.pem file and paste it into the Private Key field in the Saudi Arabia E-Invoicing Configuration record.

  8. Run the following command to generate a CSR in the same directory where you created the csr_config.txt file. A taxpayer.csr file will be created.

                    openssl req -new -sha256 -key privateKey.pem -extensions v3_req -config csr_config.txt -out taxpayer.csr

  9. Copy the contents of the taxpayer.csr file and paste it into the Certificate Signing Request (CSR) field in the Saudi Arabia E-Invoicing Configuration record.

  10. In the Saudi Arabian Taxation Portal (ERAD), go to the Onboarding and Management Portal and generate one-time passcodes (OTPs). The number of OTPs depends on the number of e-invoicing generation units (devices) that you will use. OTP generation differs for Fatoora Production and Simulation Portal. For more information about generating OTPs, see the Fatoora Portal User Manual.

    Important:

    OTP codes obtained from the ERAD Onboarding and Management Portal expire after one hour. Please complete the process within this timeframe.

  11. Copy the generated OTP codes to the OTP field on the Saudi Arabia E-Invoicing Configuration record.

  12. Click Save.

  13. Click Next. The Compliance Binary Security Token and Compliance Secret are received and saved in the Compliance Binary Security Token and Compliance Secret fields on the configuration record.

    Note:

    This process may take several minutes to complete. Do not refresh the page.

  14. Delete the privateKey.pem and taxpayer.csr files after copying the contents to the Saudi Arabia E-Invoicing Configuration record.

Continue the setup by performing a compliance check.

Related Topics

Performing a Compliance Check
Prerequisites for Using Saudi Arabia E-Invoicing
Setting Up Saudi Arabia E-Invoicing

General Notices