Secure Domains FAQ

This topic applies to

Applies to

Commerce Web Stores


How do I generate a Certificate Signing Request (CSR)?

To find the information you need from NetSuite, see Prerequisites for Setting Up Secure Domains. Next, follow the instructions for generating a CSR posted on your certificate authority's website. If you cannot find these instructions, contact your certificate authority for details.

What are the requirements for the SSL certificates I buy for the custom checkout domain I use with NetSuite?

You can select an SSL certificate from the vendor of your choice, but it must meet the following restrictions and recommendations:

  • All SSL certificates you plan to use with NetSuite require:

    • A 2048–bit RSA (private and public) key. 4096–bit key lengths are not supported when a CDN is in use.

    • The private key must use the PKCS#1 RSA Cryptography Standard.


      The PKCS#8 Private-Key Information Syntax Standard is not supported. If the private key issued to you uses the PKCS#8 standard, see How can I change the private key from PKCS#8 to PKCS#1?.

    • Must be Apache-compatible and PEM-encoded.

  • You are required to purchase SSL certificates that use the SHA-2 hash function or better.

  • The following are not supported:

    • Wildcard certificates

    • Self-signed certificates

    • ECC (Elliptic Curve Cryptography) SSL certificates

    • Subject Alternative Name (SAN) fields on an SSL certificate (that is, adding multiple domain names to a single certificate). Only the Subject Name on a certificate is considered. In cases where SANs are specified on a certificate (using a subjectAltName field), they are ignored.


To test if a certificate is trusted by your selected web browser, click the link in the URL to Test Website or Example Cert column of the Mozilla Included CA Certificate List. You can purchase certificates from providers not listed in the Mozilla Included CA Certificate list, however they may not be trusted by your browser. Contact your certificate provider for more information.

How can I change the private key from PKCS#8 to PKCS#1?

Some certificate providers generate the private key encrypted in the unsupported PKCS#8 key format. The unsupported PKCS#8 key starts with the following line:


You can convert this unsupported PKCS#8 key to the PKCS#1 key format using the following command:

$ openssl rsa -in <my-key-filename>.key -out <my-key-filename>-rsa.key  

The PKCS#1 formatted key starts with the following line:


Can I test my secure domain on Sandbox or Release Preview?

Customers with sandbox accounts on the NetSuite domain and all Release Preview accounts can deploy custom secure domains. You must create a unique domain for your sandbox or Release Preview account. For example, if you use in your production account, you could use or


Do not attempt to reuse domains that are already deployed in your production account. You must set up a unique domain for each of your accounts: production, sandbox, and Release Preview.

Follow the instructions for setting up domains as you would for your production account. See Prerequisites for Setting Up Secure Domains.

Can I delete my secure domain?