Resolving CSR Configuration Errors for ZATCA Submission

Message

Error in production: {"requestID":-2,"tokenType":null,"dispositionMessage":"NOT_COMPLIANT","binarySecurityToken":null,"errors":["unable to submit and sign the csr in zatca side, caused : Denied by Policy Module 0x80094800, The request was for a certificate template that is not supported by the Active Directory Certificate Services policy: PREZATCA-Code-Signing.\r\n"]}

Solution:

The error occurs because the CSR (Certificate Signing Request) submission to ZATCA was rejected due to incorrect configuration data. This typically happens when transitioning between simulation and production environments without regenerating the CSR. The system requires specific information in the CSR to be accurate and compliant with ZATCA's policy, and any misconfiguration leads to rejection. Failure to regenerate the CSR after environment changes or updates in the company details can trigger this issue.

To resolve the problem, it is essential to ensure that the CSR contains the correct information. The Common Name (CN) must be the company’s VAT number, and the Country (C) should be set to SA for Saudi Arabia. Additionally, verify that the Organization (O) and Organizational Unit (OU) fields are accurately filled based on the company’s official records. If any of these fields are missing or incorrect, the CSR becomes invalid. Proper configuration of these fields is crucial to gaining approval from ZATCA.

Furthermore, after ensuring the data is accurate, regenerate the CSR with the updated configuration details. Submit the regenerated CSR to the ZATCA portal for approval. It is also important to verify that your account has the necessary permissions to submit the CSR in production mode. By following these steps and ensuring compliance with ZATCA's requirements, the CSR rejection issue can be resolved efficiently.