errorbusinessPLksef

KSEF-21115:KSeF error 21115 — invalid authentication certificate

Fix: Treat this as a credentials/configuration fix, not an invoice fix. Verify which certificate is loaded in the KSeF integration settings and confirm it is a current KSeF 2.0 authentication certificate — not MCU-generated, not KSeF 1.0, not an offline-type certificate. Confirm the environment matches (Demo cert → Demo endpoint, Production cert → Production). If the certificate is the wrong type or origin, generate a new authentication certificate and re-upload it. As an alternative you can authenticate with a qualified electronic signature or trusted profile (profil zaufany), or grant token-based permissions to the integrating service. This cannot be auto-fixed from invoice data, so Invoice Navigator surfaces 21115 to the integrator with the likely cause. Provide the required value in the free validator.

KSEF-21115 ("Nieprawidłowy certyfikat" / invalid certificate) is a gateway error returned during authentication, before any invoice is processed. The KSeF 2.0 API rejected the certificate presented to establish the session, so the connection is never authorised and no document reaches schema or business validation. It is an integration/credential problem, not a fault in the invoice XML — the same certificate fails for every document until it is corrected.

Severity
Fatal
Rule set
ksef
Country
PL
Fix type
INPUT REQUIRED
Confidence
30%

Engine Classification

Business data required · Explicit input workflow · No assumptions made

What is KSEF-21115?

KSEF-21115 is a fatal validation rule defined in the ksef specification (PL national rules). It validates the On KSeF 2.0 the most common driver is presenting a certificate that is not a valid authentication certificate for the current platform. Causes: (1) a certificate generated in the old User Certificate Manager (MCU) — KSeF 2.0 consistently rejects MCU certificates with 21115; (2) a certificate from the previous KSeF 1.0 architecture, not supported in 2.0; (3) the wrong certificate type in the authorisation form, e.g. a KSeF offline-type certificate used for authentication instead of the dedicated authentication certificate; (4) an environment mismatch, where a Demo certificate is used against Production (or vice versa). The rejection happens at the authentication handshake, so it relates to the session, not a specific invoice. element in the UBL invoice XML.

When this rule fires, the invoice is rejected by Peppol access points and never reaches the buyer.

Target path: On KSeF 2.0 the most common driver is presenting a certificate that is not a valid authentication certificate for the current platform. Causes: (1) a certificate generated in the old User Certificate Manager (MCU) — KSeF 2.0 consistently rejects MCU certificates with 21115; (2) a certificate from the previous KSeF 1.0 architecture, not supported in 2.0; (3) the wrong certificate type in the authorisation form, e.g. a KSeF offline-type certificate used for authentication instead of the dedicated authentication certificate; (4) an environment mismatch, where a Demo certificate is used against Production (or vice versa). The rejection happens at the authentication handshake, so it relates to the session, not a specific invoice.

Fix this error

Why This Error Matters

KSeF 2.0 authentication must succeed before any invoice is sent. A rejected certificate halts the entire integration — every document fails until the credential is fixed.

KSEF-21115 is a hard failure — the invoice must be corrected and re-sent before it can reach the recipient.

Validator Behavior

  • ·Causes invoice rejection
  • ·Error returned: KSEF-21115
  • ·Specification: ksef

Before / After

Failing XML
Authentication request signed with an MCU / KSeF 1.0 certificate
→ KSeF 2.0 responds: 21115 "Nieprawidłowy certyfikat"
Corrected XML
Authentication request signed with a current KSeF 2.0 authentication certificate
(correct environment: Demo cert → Demo, Prod cert → Prod)
→ session authorised, invoices proceed to validation

Technical Reference

XPathOn KSeF 2.0 the most common driver is presenting a certificate that is not a valid authentication certificate for the current platform. Causes: (1) a certificate generated in the old User Certificate Manager (MCU) — KSeF 2.0 consistently rejects MCU certificates with 21115; (2) a certificate from the previous KSeF 1.0 architecture, not supported in 2.0; (3) the wrong certificate type in the authorisation form, e.g. a KSeF offline-type certificate used for authentication instead of the dedicated authentication certificate; (4) an environment mismatch, where a Demo certificate is used against Production (or vice versa). The rejection happens at the authentication handshake, so it relates to the session, not a specific invoice.
Specksef

Code Example

21115 is resolved by swapping the credential, not by changing the invoice. Authenticate with a valid KSeF 2.0 authentication certificate (or a qualified signature / trusted profile) against the matching environment.

Common Causes

  • ·An MCU or KSeF 1.0 certificate, an offline-type certificate used for authentication, or a Demo/Production environment mismatch.

Seeing this in production? The API handles KSEF-21115 automatically. See the fix response →

Frequently Asked Questions

No. 21115 happens at authentication, before the invoice is read. The session credential was rejected, so the same certificate fails for every document until it is replaced.

Certificates generated in the old User Certificate Manager (MCU) and certificates from the KSeF 1.0 architecture are not accepted for authentication in KSeF 2.0. You need a current KSeF 2.0 authentication certificate.

An offline-type KSeF certificate is not the authentication certificate. Authentication requires the dedicated authentication certificate; uploading the offline certificate into the auth form returns 21115.

Yes. A Demo/test certificate used against Production (or the reverse) is a frequent cause. Make sure the certificate and the endpoint belong to the same environment.

Yes — you can authenticate with a qualified electronic signature or a trusted profile (profil zaufany), or grant token-based permissions to the integrating service.

Related Errors

KSEF-440KSeF Duplicate Invoice Rejection (HTTP 440)

Related Content

Learn
E-Invoicing DeadlinesWhat is KSeF?
Countries
E-Invoicing in Poland
Glossary
Mandate phasesEvidence Pack
Errors
KSeF Duplicate Invoice Rejection (HTTP 440)
Blog
Poland's KSeF E-Invoicing Mandate Hits All Businesses April 1: What ERP Vendors Must Do NowPoland's KSeF E-Invoicing Mandate Hits All Businesses April 1: What ERP Vendors Must Do Now

Last updated: 16 June 2026

Share this guide:

Validate your invoice

Drop your XML here to check for KSEF-21115

Fix KSEF-21115 with guided input

Upload your invoice and we'll ask for the missing data, then apply a safe, auditable fix.

Fix it nowAutomate via API