ZATCA CSD Certificate

Complete Guide to Compliance Services Device for Saudi E-Invoicing Phase 2

Last updated: March 30, 2026

🔐 What is a CSD Certificate?

A CSD (Compliance Services Device) certificate is a digital certificate issued by ZATCA-approved providers. It acts as a unique identity for your business when sending e-invoices to ZATCA. The certificate is used for:

Digitally signing every e-invoice
Generating the cryptographic stamp (QR code data)
Authenticating API calls to Fatoora portal
Ensuring non-repudiation and data integrity

⚡ Why is CSD Mandatory?

ZATCA requires a CSD certificate to prevent invoice tampering, fraud, and ensure tax compliance. Without a valid CSD certificate, your e-invoices will be rejected by the Fatoora portal. Phase 2 integration cannot proceed without it.

🏢 ZATCA-Approved CSD Providers

As of 2026, the following providers are authorized to issue CSD certificates for ZATCA e-invoicing:

✅ Geotrust (DigiCert) ✅ Digicert Inc. ✅ Entrust Datacard ✅ GlobalSign ✅ ZATCA Trust List (check official portal for updates)

📋 CSD Certificate Application Process

01 Choose an approved provider from the list above

02 Register your business (provide TRN, Commercial Registration, authorized signatory details)

03 Complete identity verification (video call or in-person for some providers)

04 Generate a Certificate Signing Request (CSR) from your system

05 Submit CSR to provider and pay the certificate fee

06 Receive and install the CSD certificate (usually within 5-10 business days)

07 Test certificate in ZATCA Sandbox environment

08 Deploy to production for live e-invoicing

💰 Estimated Cost of CSD Certificate

The cost varies by provider and certificate validity period:

💰 1-year certificate: SAR 800 - 1,500
💰 2-year certificate: SAR 1,500 - 2,500
💰 3-year certificate: SAR 2,000 - 3,500

🔧 Integration with Your System

Once you have the CSD certificate, you need to integrate it with your e-invoicing solution:

Install the certificate on your server or HSM (Hardware Security Module)
Configure your e-invoicing software to use the certificate for signing
Implement OTP (One-Time Password) generation using CSD keys
Test API calls to Fatoora Sandbox
Go live with Clearance or Reporting model

⏱️ CSD Certificate Timeline

Understanding the timeline helps you plan your Phase 2 integration:

⏱️ Document submission to provider: 1-2 days
⏱️ Identity verification: 1-3 days
⏱️ CSR generation and submission: 1 day
⏱️ Certificate issuance: 5-10 business days
⏱️ Total estimated time: 8-16 business days

🔄 CSD Certificate Renewal

CSD certificates have an expiry date (typically 1-3 years). The renewal process is simpler:

Start renewal 30-45 days before expiry
Submit renewal request to your provider
Pay renewal fee (usually lower than initial)
Receive renewed certificate within 3-5 business days
Install and test before old certificate expires

❓ Frequently Asked Questions

Q: Can I use a free SSL certificate instead of CSD?

A: No. Free SSL certificates (like Let's Encrypt) are NOT accepted. You must purchase a CSD certificate from ZATCA-approved providers like Geotrust or Digicert. Free certificates lack the required cryptographic capabilities for digital signing.

Q: How long does it take to get a CSD certificate?

A: Typically 5-10 business days after submitting all required documents. Plan well before your Phase 2 integration deadline. Start the process at least 30 days before your integration date.

Q: Can one CSD certificate be used for multiple branches?

A: Yes, a single CSD certificate can be used for all invoices from the same legal entity (same TRN). Each branch does not need a separate certificate as long as they share the same TRN.

Q: What happens if my CSD certificate expires?

A: ZATCA will reject your e-invoices. You must renew the certificate before expiry. The renewal process is simpler and faster (3-5 business days) than the initial application. Set reminders 60 days before expiry.

Q: Is CSD required for both Clearance and Reporting models?

A: Yes, both models require a valid CSD certificate for digital signing and cryptographic stamp generation. There is no exception for either model.

Q: What is the difference between CSD and SSL certificates?

A: SSL certificates secure website connections. CSD certificates are specifically designed for digital signing and cryptographic stamping of e-invoices. You cannot use one for the other.

Q: Do I need a Hardware Security Module (HSM) for CSD?

A: HSM is recommended for large enterprises with high invoice volumes. For small businesses, software-based storage (keystore) is acceptable. Check your provider's requirements.

Q: Can I test CSD certificate in Sandbox before buying?

A: Yes, ZATCA provides a Sandbox environment where you can test integration using a test CSD certificate. This allows you to validate your implementation before purchasing a production certificate.

📚 Related ZATCA Resources

📘 Complete Guide ⚖️ Clearance vs Reporting 📄 Tax Invoice Format 🔌 Fatoora Integration