System-to-System Developer’s Guide v3.0
Confidential Material 8 of 19
3 SETUP CLIENT CERTIFICATE
As discussed previously, NetSuite’s Two-Way Secure Socket Layer authentication uses public/private key
technology to authenticate clients against NetSuite servers and also to authenticate NetSuite servers to
connecting clients. This authentication uses a client generated key pair the public key of which is signed by and
possessed by NetSuite. Authentication takes place over an SSL connection initiated with NetSuite’s key pair
signed by a mutually trusted key signer (in this case RSA). The SSL portion of this process guarantees to the
client that NetSuite is NetSuite and the NetSuite authentication portion of this process guarantees to NetSuite that
the client is the client who they claim to be.
There are three certificates that are used in NetSuite’s Two-Way Secure Socket Layer authentication:
1. the integration partner’s client certificate, signed by us (which is the signed CSR)
2. the NetSuite certificate used to sign your CSR (NLCACert4Partners.der)
3. the RSA certificate used to sign our server certificate (RSASignedCERT.cer)
The certificates from 1 and 2 above are stored within your keystore – the same one that you used to generate the
CSR in the first place. A keystore contains your public and private key-pair used to create the CSR, as well as
various certificates. The following sections describe the construction and use of keystores in greater detail.
The RSA certificate, from 3, is used at the beginning of an SSL handshake, when you are verifying our server
certificate, to assure yourselves that we are who you think we are. You may obtain the RSA certificate directly
from our site (using a browser and by clicking the IE security lock icon), from RSA directly, or wait for us to send it
to you (we always send a copy of all three certificates when replying to CSRs).
The following steps outline the process in detail. Note that these steps use a fictitious company named Client,
Inc. You should be able to use these commands exactly as they appear by replacing the example references to
Client, Inc, and its related password and company information.
If the integration partner has more than one NetSuite account that they need to enable system-to-system access
for, they have the following options:
• They may register a certificate for each NetSuite account.
• They may use a single certificate across all accounts. Note that unlike server certificates, a client certificate is not
bound to a specific physical machine, and therefore, a certificate can be copied to other machines.
3.1 JAVA PLATFORM
When using the Java platform, creating a client certificate is best achieved by using Java’s native support for
certificates. Following is a detailed list of steps required to create a certificate, get it signed by NetSuite, and
install the certificate.
Step 1: Install the Java 2 Platform, Standard Edition JDK version 1.4 or higher
You will need the keytool program that comes with this version of the JDK in order to manage keystores. Once
the JDK has been installed, and the bin directory of the JDK has been added to the system path, you should be
able to run the keytool command at the command prompt.
Step 2: Generate a new public/private key pair in a new keystore as follows
