1. Commerce
  2. System Management
  3. Domains
  4. Advanced Domain Setup
  5. Manual Certificates
  6. Manual Certificates FAQ

Manual Certificates FAQ

How do I generate a Certificate Signing Request (CSR)?

See Generate a CSR for information about what you need to do to generate a CSR in NetSuite. Next, follow the instructions for generating a CSR provided on the website of your certificate authority (CA). If you cannot find these instructions, contact your CA for details.

What are the requirements for the SSL certificates I buy for the custom checkout domain I use with NetSuite?

You can select an SSL certificate from the vendor of your choice, but it must meet the following requirements:

  • All SSL certificates you use with NetSuite require:

    • A 2048–bit RSA (private and public) key. 4096–bit key lengths are not supported.

    • The private key must use the PKCS#1 RSA Cryptography Standard.

      Note:

      The PKCS#8 Private-Key Information Syntax Standard is not supported. If the private key issued to you uses the PKCS#8 standard, see How can I change the private key from PKCS#8 to PKCS#1?.

    • Compatibility with Apache and encoded in PEM-format.

  • You are required to purchase SSL certificates that use the SHA-2 hash function or better. For more information, see Supported TLS Protocol and Cipher Suites.

  • The following are not supported:

    • Wildcard certificates

    • Self-signed certificates

    • ECC (Elliptic Curve Cryptography) SSL certificates

    • Subject Alternative Name (SAN) fields on an SSL certificate (that is, adding multiple domain names to a single certificate). Only the Subject Name on a certificate is considered. In cases where SANs are specified on a certificate (using a subjectAltName field), they are ignored.

Note:

To test if a certificate is trusted by your selected web browser, click the link in the URL to Test Website or Example Cert column of the Mozilla Included CA Certificate List. You can purchase certificates from providers not listed in the Mozilla Included CA Certificate list. However, they may not be trusted by your browser. Contact your certificate provider for more information.

How can I change the private key from PKCS#8 to PKCS#1?

Some certificate providers generate the private key encrypted in the unsupported PKCS#8 key format. The unsupported PKCS#8 key starts with the following line:

              -----BEGIN PRIVATE KEY-----

You can convert this unsupported PKCS#8 key to the PKCS#1 key format using the following command:

              $ openssl rsa -in <my-key-filename>.key -out <my-key-filename>-rsa.key

The PKCS#1 formatted key starts with the following line:

              -----BEGIN RSA PRIVATE KEY-----

What happens if my manual SSL certificate expires?

An expired certificate is automatically deleted 30 days after the expiration date, and makes your website inaccessible.

To avoid this, make sure your certificates are always valid (unexpired) for all your secure websites, including test websites.

Related Topics

Select Type of SSL Certificate
Manual Certificates
Select Type of SSL Certificate
Generate a CSR
Submit Your CSR
Retrieve Your Certificates
Secure Domain Using Manual Certificate
Maintenance of Manual Certificates

General Notices