Introduction

When it comes to secure API authentication, OAuth 2.0 Client Credentials (M2M) flow is a top choice for connecting with NetSuite. However, the manual effort required to upload certificates for each user has been a significant hurdle for administrators.

The good news is that the certificates endpoint has arrived with the release of version 2023.1 hotfix. This feature allows administrators to programmatically manage certificates, eliminating the need for manual uploads.

From now on, the combination of OAuth 2.0 Client Credentials (M2M) flow and the certificates endpoint is the optimal choice for streamlined, secure authentication in NetSuite. In this article, we will explore how to programmatically upload, and regenerate certificates used for OAuth 2.0 Client Credentials (M2M) flow in a step-by-step guide.

What You Need

Before we dive into the technical details, ensure you have the following prerequisites:

• Enable the OAuth 2.0 feature.
• Setup Permissions.
• Create an Integration Record.

Step 1 - Generating Certificates

To secure your M2M client, you need to create certificates by using tools such as OpenSSL to generate a self-signed certificate. Here's an example of how to do it using OpenSSL in a terminal:

openssl req -x509 -newkey rsa:4096 -keyout auth-key.pem -out auth-cert.pem -nodes

To eliminate the manual work of administrators, invoke the above command or use the OpenSSL library to generate certificates in your server-side source code.

Step 2 - Uploading Certificates

The next step is to upload the certificate to NetSuite. When connecting to NetSuite for the first time, you need to obtain an access token by either setting it up in the NetSuite UI or by obtaining the access token using a different flow, such as the OAuth 2.0 Authorization Code Grant flow.
After getting an access token, send a POST request to the following endpoint.

The Upload Endpoint

/services/rest/auth/oauth2/v1/clients/{clientId}/certificates

Data

{
    "fileContent": "-----BEGIN CERTIFICATE-----...",
    "role": 3,
    "entity": 7
}

Keep in mind that as of version 2023.2, when sending POST request to the upload endpoint, the payload is expected to be in JSON string format. 

Sample Request

curl 'https://tstdrv1234567.app.netsuite.com/services/rest/auth/oauth2/v1/clients/63f9d36214e97953d94298a5405be/certificates' -H 'Authorization: Bearer eyJraWQiOi...' -H 'Content-Type: application/json' -X POST -d '{ "fileContent":"-----BEGIN CERTIFICATE-----...","role":3,"entity":7 }' -v --insecure --tlsv1.2

Sample Response

{
    "entity_role_id":{"com":"4030059","ent":7,"rol":3},
    "certificate_id":"Qiljyqx_nQC-_BMDF37ghOwZI0TpgaRrThMRNWJTPlU",
    "certificate":"-----BEGIN CERTIFICATE-----...",
    "algorithm":"RSA",
    "created_at":"2023-05-29",
    "valid_from":"2023-05-25",
    "valid_until":"2024-05-24",
    "invalidated":false,
    "installation_id":2,
    "valid":true
}

Step 3 - Renewing Certificates

Certificates have a limited validity period. To ensure continuous Machine-to-Machine communication, you must implement a certificate renewal process. This can be done by:

• Revoke existing certificates.
• Upload new certificates.

To revoke existing certificates, send a POST request to the following endpoint.

The Revoke Endpoint

/services/rest/auth/oauth2/v1/clients/{clientId}/certificates/{certificateId}/revoke

Sample Request

curl 'https://tstdrv1234567.app.netsuite.com/ services/rest/auth/oauth2/v1/clients/63f9d36214e97953d94298a5405be /certificates/xYAcb_rwSVj6stkI0cCysutJ4AKwqTOBU5M75HNh7Ig/revoke' -H 'Authorization: Bearer eyJraWQiO...' -H 'Content-Type: application/json' -X POST -v --insecure --tlsv1.2

Sample Response

Successfully revoked

After revoking the current certificates, generate and upload the new ones. Managing OAuth 2.0 client credentials certificates programmatically is vital for M2M security.

Listing All Certificates in your Integration

The List All Certificates endpoint allows you to view a comprehensive list of users associated with a specific integration. To do that, send a GET request to the following endpoint.

The List All Certificates Endpoint

/services/rest/auth/oauth2/v1/clients/{clientId}/certificates

Sample Request

curl 'https://tstdrv1234567.app.netsuite.com/services/rest/auth/oauth2/v1/clients/ 63f9d36214e97953d94298a5405be/certificates' -H 'Authorization: Bearer eyJraWQiOiJ...' -H 'Content-Type: application/json' -v --insecure --tlsv1.2

Sample Response

[
  {
    "application": {
      "id": 2,
      "name": "Test Integration",
      "url": "/app/common/integration/integrapp.nl?id=2",
      "application_id": "5A7C2B6D-F927-4D7B-94DB-8026A86F823E"
    },
    "entity": {
      "id": 7,
      "name": "Infra Auth",
      "entity_type": "EMPLOYEE",
      "url": "/app/common/entity/entity.nl?id=7"
    },
    "role": {
      "id": 3,
      "name": "Administrator",
      "url": "/app/setup/role.nl?id=3"
    },
    "created": "2023-05-29",
    "valid_from": "2023-05-25",
    "valid_until": "2024-05-24",
    "revoked": true,
    "certificate_id": "Qiljyqx_nQC-_BMDF37ghOwZI0TpgaRrThMRNWJTPlU",
    "algorithm": "RSA"
  },
  {
    "application": {
      "id": 2,
      "name": "Test Integration",
      "url": "/app/common/integration/integrapp.nl?id=2",
      "application_id": "5A7C2B6D-F927-4D7B-94DB-8026A86F823E"
    },
    "entity": {
      "id": 7,
      "name": "Infra Auth",
      "entity_type": "EMPLOYEE",
      "url": "/app/common/entity/entity.nl?id=7"
    },
    "role": {
      "id": 3,
      "name": "Administrator",
      "url": "/app/setup/role.nl?id=3"
    },
    "created": "2023-05-29",
    "valid_from": "2023-05-29",
    "valid_until": "2024-05-28",
    "revoked": false,
    "certificate_id": "xYAcb_rwSVj6stkI0cCysutJ4AKwqTOBU5M75HNh7Ig",
    "algorithm": "RSA"
  }
]

Conclusion

Managing OAuth 2.0 Client Credentials (M2M) certificates programmatically is essential for securing your Machine-to-Machine communication. I hope this article helps you to confidently upload certificates to NetSuite and keep your integration secure. Additionally, implementing a certificate renewal process ensures seamless operation even as certificates expire.