Manual Certificates FAQ

This topic applies to

Applies to

SuiteCommerce | SuiteCommerce Advanced


How do I generate a Certificate Signing Request (CSR)?

To find the information you need from NetSuite, see Generate a CSR. Next, follow the instructions for generating a CSR posted on your certificate authority's website. If you cannot find these instructions, contact your certificate authority for details.

What are the requirements for the SSL certificates I buy for the custom checkout domain I use with NetSuite?

You can select an SSL certificate from the vendor of your choice, but it must meet the following restrictions and recommendations:

  • All SSL certificates you plan to use with NetSuite require:

    • A 2048–bit RSA (private and public) key. 4096–bit key lengths are not supported.

    • The private key must use the PKCS#1 RSA Cryptography Standard.


      The PKCS#8 Private-Key Information Syntax Standard is not supported. If the private key issued to you uses the PKCS#8 standard, see How can I change the private key from PKCS#8 to PKCS#1?.

    • Must be Apache-compatible and PEM-encoded.

  • You are required to purchase SSL certificates that use the SHA-2 hash function or better. For more information, see the help topic Supported TLS Protocol and Cipher Suites.

  • The following are not supported:

    • Wildcard certificates

    • Self-signed certificates

    • ECC (Elliptic Curve Cryptography) SSL certificates

    • Subject Alternative Name (SAN) fields on an SSL certificate (that is, adding multiple domain names to a single certificate). Only the Subject Name on a certificate is considered. In cases where SANs are specified on a certificate (using a subjectAltName field), they are ignored.


To test if a certificate is trusted by your selected web browser, click the link in the URL to Test Website or Example Cert column of the Mozilla Included CA Certificate List. You can purchase certificates from providers not listed in the Mozilla Included CA Certificate list, however they may not be trusted by your browser. Contact your certificate provider for more information.

How can I change the private key from PKCS#8 to PKCS#1?

Some certificate providers generate the private key encrypted in the unsupported PKCS#8 key format. The unsupported PKCS#8 key starts with the following line:


You can convert this unsupported PKCS#8 key to the PKCS#1 key format using the following command:

$ openssl rsa -in <my-key-filename>.key -out <my-key-filename>-rsa.key 

The PKCS#1 formatted key starts with the following line:


What happens if my manual SSL certificate expires?

An expired certificate is automatically deleted 30 days after the expiration date, which makes the website inaccessible.

To avoid this, make sure your certificates are always valid (unexpired) for all your secure websites, including test websites.