When setting up integration between Acumatica and Amazon using native connector, it is required to create Encryption Certificate on the SM200530 screen. This certificate is used to encrypt customer data fetched from Amazon. I could not find clear instructions on how to do it, especially if you’re a MacOS or Linux user.
1 Generate a private key
This creates a 2048-bit RSA private key. Keep this file secure -- it's the foundation of your certificate.
Open Terminal app on your Mac or Linux machine, navigate to a folder where you would like to save the certificate file. And run the following command:
openssl genrsa -out key.pem 2048
The output file key.pem is your private key. Never share this.
2 Create a certificate signing request (CSR)
This command generates a CSR based on your private key. OpenSSL will prompt you for several fields that identify your certificate. You can press Enter to skip any optional field.
openssl req -new -sha256 -key key.pem -out csr.csr
You will be asked to fill in the following fields:
| Prompt | What to enter |
|---|---|
| Country Name (2 letter code) | Your 2-letter ISO country code, e.g. US, GB, AU |
| State or Province Name | Full state or province name, e.g. California |
| Locality Name | City or town, e.g. San Francisco |
| Organization Name | Your company or organization name, e.g. Acme Corp |
| Organizational Unit Name | Department or team -- optional, press Enter to skip |
| Common Name (CN) | Optional -- press Enter to skip |
| Email Address | Optional -- press Enter to skip |
| A challenge password | This is a passphrase added to the CSR itself (not the same as the .pfx export password in step 4). Enter a password and click Enter. |
| An optional company name | Optional -- press Enter to skip |
3 Generate the self-signed certificate
This creates the actual certificate, signed with your own private key. The -days flag controls validity duration -- adjust as needed (I usually use 3650, which is 10 years).
openssl req -x509 -sha256 -days 3650 -key key.pem -in csr.csr -out certificate.pem
Common values: 365 = 1 year, 730 = 2 years, 1825 = 5 years. Browsers enforce a ~398-day cap for publicly-trusted TLS certs, but for internal Acumatica use, longer durations are fine.
4 Export as .pfx certificate
This bundles your private key and certificate into a single .pfx (PKCS#12) file -- the format required by Acumatica and most Windows-based services.
openssl pkcs12 -export -inkey key.pem -in certificate.pem -out certificate.pfx
You will be prompted to set an export password. This password protects the .pfx file and will be required when importing it into Acumatica (or any other service for that matter). Choose a strong password and store it somewhere safe.
This is the file you'll upload to Acumatica, screen Encryption Certificates. Hold onto key.pem and certificate.pem in case you need to regenerate or re-export later.
If this article helped you, like it!
