Automatic and Manual Certificates
You have two options for obtaining SSL certificates to secure a domain in NetSuite:
You should use automatic SSL certificates to secure your domain, unless you have a good reason to use the manual option. Automatic certificates from NetSuite:
-
Are provided free of charge.
-
Follow security and encryption industry standards.
-
Automatically renew with no downtime.
Use the manual certificate option if you have a specific need, like you need to use an Organization Validation (OV) or Extended Validation (EV) certificate.
Automatic Certificate Option
The automatic certificate option is usually the quickest and easiest way to secure a domain. If you use the automatic certificate option, Oracle NetSuite obtains a domain validated (DV) certificate for your NetSuite-hosted domain. The benefit is that Oracle NetSuite obtains, applies, maintains, and renews the certificate for you automatically. This service is provided at no additional cost.
To use the automatic certificate, you need to use two DNS records.
The first DNS record needs to use the CNAME that NetSuite displays on the Domain page. An example of the format for a CNAME is <yourDomainName>.hosting.netsuite.com (where <YourDomainName> is a variable representing the name of your domain, such as shop.example.com).
The second DNS record is to set up a CNAME for acme-challenge. The format of the acme-challenge is, _acme-challenge.<yourDomainName>, pointing to <yourDomainName>.hosting-verify.netsuite.com.
Be aware that if you switch to the automatic certificate option, don't include a CAA record in DNS. A CAA record in DNS may block the deployment of the automatic certificate.
Sometimes, the manual certificate option is a better fit. These scenarios include:
-
CNAME flattening—If you are using a CNAME flattening feature from your DNS provider, you must use the manual certificate option. The automatic option doesn’t support CNAME flattening unless you’re using a second-level domain.
Second-level domains have to use CNAME flattening since they don’t support CNAMEs. This applies to both manual and automatic certificates. However, don't use CNAME flattening with the acme-challenge DNS record.
-
Organization Validation (OV) or Extended Validation (EV) certificate—IIf your business needs OV or EV certificates, use the manual option.
Manual Certificate Option
You might choose the manual certificate option for specific reasons, like the ones listed in the previous section. You might also use the manual option if you want to use an SSL certificate from a CA you choose. For a list of certificate authorities, see the Mozilla Included CA Certificate List.
With the manual option, first download a certificate signing request (CSR) for your domain from NetSuite, then send it to your CA when you buy a certificate. When you receive the certificate from your CA, upload it to NetSuite so it can be used on your NetSuite-hosted site. You can’t use this certificate outside of NetSuite. You’re also responsible for maintaining and renewing the certificate. For more information, see Manual Certificates.
Using the manual certificate option requires extended setup steps and may incur additional cost.