When integrating NetSuite with external systems that require mutual TLS (mTLS) or certificate-based authentication, the standard HTTPS module isn’t enough. That’s where the N/https/clientCertificate module comes in.

This module allows SuiteScript to send SSL-secured HTTPS requests using a client-side digital certificate — a requirement for many banking APIs, financial institutions, government portals, and high-security third-party systems.

In this guide, we break down:

• What the clientCertificate module does
• Supported methods
• When and why to use certificate-based authentication
• Example use cases
• Sample SuiteScript code
• Best security practices

Let’s dive in.

⭐ 1. What Is the N/https/clientCertificate Module?

The N/https/clientCertificate module lets SuiteScript make HTTPS requests authenticated by a digital certificate instead of:

• API keys
• Passwords
• Tokens
• Basic authentication

This is essential when the remote server requires the client to prove its identity through a certificate — a process known as mutual TLS authentication.

⭐ 2. Why Certificate-Based Authentication Matters

Many industries require certificate-based authentication for compliance and security:

• Banking APIs (ACH, treasury, payment gateways)
• Government/Tax authority APIs (e.g., e-invoicing systems)
• Healthcare integrations (HIPAA-secure endpoints)
• Secure B2B integrations
• Private APIs requiring mTLS

Using client certificates ensures:

✔ Strong authentication
✔ Encrypted communication
✔ Server verification
✔ Prevention of credential leakage

NetSuite makes it possible to securely manage and use certificates inside scripts.

⭐ 3. Module Methods

The clientCertificate module mirrors the standard N/https module but adds certificate-based authentication.

Here are all the supported methods:

🔹 clientCertificate.post(options)

Sends an SSL-secured POST request using a digital certificate.

🔹 clientCertificate.get(options)

Sends an SSL-secured GET request using a digital certificate.

🔹 clientCertificate.put(options)

Sends an SSL-secured PUT request.

🔹 clientCertificate.delete(options)

Sends an SSL-secured DELETE request.

🔹 clientCertificate.request(options)

Allows any type of HTTPS request, similar to a generic request wrapper.

This is useful when the target API uses custom methods like:

• PATCH
• OPTIONS
• HEAD

Each method returns an:
➡ https.ClientResponse object
Containing code, headers, and body.

⭐ 4. Example SuiteScript: POST Request Using Client Certificate

Below is a simplified example of making a POST request with a certificate:

/**
 * @NApiVersion 2.1
 */
define(['N/https/clientCertificate'], function(clientCert) {

    function sendSecurePost() {
        const response = clientCert.post({
            url: 'https://secure-api.example.com/data',
            certificateId: 'custcert_my_certificate',
            headers: {
                'Content-Type': 'application/json'
            },
            body: JSON.stringify({
                recordId: 123,
                status: 'Processed'
            })
        });

        log.debug('Response Code', response.code);
        log.debug('Response Body', response.body);
    }

    return { execute: sendSecurePost };
});

⭐ 5. Example: GET Request With Certificate

const response = clientCert.get({
    url: 'https://bank-api.example.com/accounts',
    certificateId: 'custcert_bank_ssl_cert'
});

log.debug('Bank API Response', response.body);

⭐ 6. Storing Certificates in NetSuite

Certificates must be uploaded and stored securely in:

Setup → Company → Preferences → Keys

This area also stores SSH keys, API secrets, and now client certificates.

NetSuite encrypts and manages these securely — meaning scripts never expose certificate content.

⭐ 7. When to Use N/https/clientCertificate Instead of N/https?

Use N/https unless the target API requires:

✔ mTLS authentication
✔ SSL handshake using client certificate
✔ PKI-based access
✔ Certificate-based token retrieval
✔ Encrypted channel identity validation

Examples:

• Connecting to banks requiring mTLS
• Government invoice/reporting portals
• Secure logistics platforms
• Payment providers with certificate requirements

⭐ 8. Best Practices for Using clientCertificate

✔ Always store certificates in the Key Management UI

Never store certificates as file attachments or in script files.

✔ Keep certificates locked

Use keyControl.lock() to protect from accidental changes.

✔ Rotate certificates before expiration

Especially for banking APIs and regulated industries.

✔ Avoid logging sensitive data

Never log certificate IDs, keys, or raw responses containing confidential data.

✔ Test in Sandbox first

Some systems require whitelisted certificates per environment.

⭐ 9. Final Thoughts

The N/https/clientCertificate module opens the door for secure, enterprise-grade integrations that rely on mutual TLS authentication. Whether you’re integrating with banks, government systems, or private APIs, this module gives SuiteScript the tools required to communicate securely.

With:

• Full SSL certificate support
• Secure request signing
• Encrypted certificate management
• Support for all major HTTP methods

NetSuite developers can now build highly secure, compliant, and reliable integrations without workarounds or external servers.