System-to-System Developer’s Guide v3.0
Confidential Material 9 of 19
A new public/private key pair is generated in a new keystore. The keystore should be stored in a secure location.
In the following example, a 2048-bit RSA private/public key pair with an alias of client and a password of
mykeypass is generated and stored in the file client.keystore, which is protected with the password mystorepass.
keytool -genkey -dname "cn=client.com, ou=Engineering, o=Client, c=US,
st=California" -alias "client" -keypass mykeypass -keystore "client.keystore" -
storepass mystorepass -keyalg "RSA" -keysize 2048
The –dname parameter specifies the following. If you omit this parameter, the tool will prompt you for this
information.
Name Description
CN Valid domain name for your company
O Company name
OU Organizational Unit
C Country
ST State
Step 3: Create a Certificate Signing Request (CSR)
The public key generated above needs to be signed by a Certificate Authority (CA). The new key pair is used to
generate a Certificate Signing Request or CSR. A CSR is a file that is sent to the certification authority for signing;
it contains the public key that needs to be signed in a special format. Note that the CA in this case is NetSuite.
keytool -keystore client.keystore -keypass mykeypass -storepass mystorepass -
alias client -certreq -file client.csr
The above command uses a keystore named client.keystore with a password of mykeypass to generate a CSR
named client.csr for the key with an alias of client.
Step 4: E-mail the CSR to NetSuite
NetSuite will act as the CA and sign the certificate. It will also extract a hash of the certificate and store it internally
so that a secondary check can be performed on all incoming requests.
The e-mail should be sent to certSignReq@netsuite.com with the CSR file as an attachment. It should include the
following:
• Subject: Certificate Signing Request for <Company Name>
• Body:
o Partner ID: The partner ID assigned by NetSuite
o NetSuite Account Number(s): The accounts that require System-to-System access. May include a production
account and a test account. You can obtain your NetSuite account number as follows: NetSuite Home > Set
Up Synchronization (Under Settings Portlet) > Account number is displayed in text box.
o Partner Account Name: Provide a logical name that you would like your NetSuite account provided above to
be referred by (customers only). For example, if your company name is ABC Corp, you might have
ABC_Production and ABC_Test as your account names. Solution providers do not provide a Partner
Account, unless they have made special arrangements with Professional Services to manually configure
account mapping; otherwise, Partner Account is determined dynamically, as established via Single Signon
Account Mapping, discussed in the Single Signon section.
o The Certificate Signing Request as an attachment.
