I am working on integrating with a government platform, and they asked to create a CSR “Certificate Signing Request” with certain configurations.

these are the configuration:

oid_section = OIDs

[ OIDs ]
certificateTemplateName= 1.3.6.1.4.1.311.20.2

[ req ]
default_bits        = 2048
emailAddress        = [email protected]
req_extensions          = v3_req
x509_extensions         = v3_ca
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn


[ dn ]
C=SA
OU=free text
O=free text
CN=free text



[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment

[req_ext]
certificateTemplateName = ASN1:PRINTABLESTRING:PREZATCA-Code-Signing
subjectAltName = dirName:alt_names


[alt_names]
SN=1-ShaEk|2-ShaEk|3-ShaEk
UID=311190293700003
title=1100
registeredAddress=jazan
businessCategory=Tech

I am working on doing CSR using Python, and I always fail, but now I have done everything successfully except the part below :

certificateTemplateName = ASN1:PRINTABLESTRING:PREZATCA-Code-Signing

I tried to add it but always it gives me an error when I send the CSR to the platform,

this is my code :

from cryptography import x509
from cryptography.x509.oid import NameOID, ObjectIdentifier
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives.asymmetric import ec
from cryptography.hazmat.primitives.serialization import Encoding, PrivateFormat, NoEncryption, PublicFormat


private_key = ec.generate_private_key(ec.SECP256K1())

public_key = private_key.public_key()

OID_SERIAL_NUMBER = ObjectIdentifier("2.5.4.4")
OID_USER_ID = ObjectIdentifier("0.9.2342.19200300.100.1.1")
OID_TITLE = ObjectIdentifier("2.5.4.12")
OID_REGISTERED_ADDRESS = ObjectIdentifier("2.5.4.26")
OID_BUSINESS_CATEGORY = ObjectIdentifier("2.5.4.15")
OID_CUSTOM_EXTENSION = ObjectIdentifier("1.3.6.1.4.1.311.20.2")

csr_builder = x509.CertificateSigningRequestBuilder().subject_name(x509.Name([
    x509.NameAttribute(NameOID.COUNTRY_NAME, u"SA"),
    x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, u"free text"),
    x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"free text"),
    x509.NameAttribute(NameOID.COMMON_NAME, u"free text"),
])).add_extension(
    x509.SubjectAlternativeName([
        x509.DirectoryName(x509.Name([
            x509.NameAttribute(OID_SERIAL_NUMBER, u"1-ShaEk|2-ShaEk|3-ShaEk"),
            x509.NameAttribute(OID_USER_ID, u"311190293700003"),
            x509.NameAttribute(OID_TITLE, u"1100"),
            x509.NameAttribute(OID_REGISTERED_ADDRESS, u"jazan"),
            x509.NameAttribute(OID_BUSINESS_CATEGORY, u"Tech"),
        ]))
    ]),
    critical=False,
)

csr = csr_builder.sign(private_key, hashes.SHA256())

with open("taxpayer.csr", "wb") as f:
    f.write(csr.public_bytes(Encoding.PEM))

and this is the error the appears when I send the CSR :

unable to submit and sign the csr in zatca side, caused : Denied by Policy Module 0x80094801, The request does not contain a certificate template extension or the CertificateTemplate request attribute.

it passes when i create the CSR using OpenSSL application :

• i create the private key using this command :

openssl ecparam -name secp256k1 -genkey -noout -out PrivateKey.pem

• then i create the CSR using OpenSSL using this command:

openssl req -new -sha256 -key PrivateKey.pem -extensions v3_req -config Configuration.cnf -out taxpayer.csr

the Configuration.cnf file contains the configurations that is in the top.

and this works and it passes, but i do not want to do it using the application,
i want to do it using Python.

now how can i solve this issue ?