Generate a Certificate Signing Request (CSR)

This topic applies to

Applies to

Commerce Web Stores


Use the OpenSSL utility to generate the CSR required by your certificate authority. The CSR is used to verify your company's identity.


You can purchase an SSL certificate from the certificate authority of your choice as long as it meets the restrictions listed in the topic Purchase Domains and SSL Certificates. For a list of certificate authorities, see the Mozilla Included CA Certificate List. You can purchase certificates from providers not listed in the Mozilla Included CA Certificate list, however, they may not be trusted by all web browsers or by the NetSuite application.

The numbered steps in this section provide general guidelines for generating the CSR, although each certificate authority may have specific requirements. Contact the certificate authority that you are purchasing your certificate from for details.

To generate the CSR:

  1. Open a command prompt. Go to Start > Accessories > Command Prompt, or type CMD in the Run window.

  2. Type C:, and then press Enter, to change the directory.

  3. Type openssl, and then press Enter.

  4. Type the following command:

    req -new -key <secure.domainnamekey>.key -out <secure.domainnamecsr>.csr


    This command prompts you to enter the following X.509 attributes for the certificate:

    Country Name: Use the two-letter code without punctuation for country, for example: US for United States, or CA for Canada.

    State or Province: Spell the state completely. Do not abbreviate the state or province name. For example, type California, not CA.

    Locality or City: This is the city or town name, such as Berkeley, or Toronto. Do not abbreviate. For example, use Saint Louis not St. Louis.

    Company: Exclude any symbols from your company name. For example, XY & Z Corporation must be changed to XYZ Corporation, or XY and Z Corporation.

    Organizational Unit (OU): (Optional). This field is used to identify certificates registered to a particular department or organization within a company. To skip the OU field, press Enter on the keyboard.

    Common Name: This is the host and domain name, such as, or

After completing the steps above, you should have the following two files in OpenSSL\bin :

  • A CSR file (.csr)

  • A private key file (.key)

The CSR file (secure.domainnamecsr.csr) is submitted to the CA to obtain the SSL certificate, which includes the public key. The private key (secure.domainname.key) is used for decryption.

Now that you have generated a private key and a CSR, you are prepared to Submit your CSR to the CA.