-
Notifications
You must be signed in to change notification settings - Fork 139
Generating Certificate Request with PKI NSS
Endi S. Dewata edited this page May 15, 2023
·
10 revisions
The pki nss-cert-request
command can be used to generate a PKCS #10 request. The request extensions can be defined in a file (e.g. /usr/share/pki/server/certs/sslserver.conf).
basicConstraints = critical, CA:FALSE subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always authorityInfoAccess = OCSP;URI:http://ocsp.example.com, caIssuers;URI:http://cert.example.com keyUsage = critical, digitalSignature, keyEncipherment extendedKeyUsage = serverAuth, clientAuth certificatePolicies = 2.23.140.1.2.1, @cps_policy cps_policy.id = 1.3.6.1.4.1.44947.1.1.1 cps_policy.CPS.1 = http://cps.example.com
See also PKI NSS Certificate Extensions.
To create a basic certificate request:
$ pki nss-cert-request \ --subject "CN=$HOSTNAME" \ --ext /usr/share/pki/server/certs/sslserver.conf \ --csr sslserver.csr
By default it will create a new RSA key. The request will be stored in sslserver.csr
.
Availability: Since PKI 10.9.
To create a certificate request with a new EC key:
$ pki nss-cert-request \ --key-type EC \ --subject "CN=$HOSTNAME" \ --ext /usr/share/pki/server/certs/sslserver.conf \ --csr sslserver.csr
The request will be stored in sslserver.csr
.
Availability: Since PKI 10.9.
To create a certificate request with an existing RSA/EC key:
$ pki nss-cert-request \ --key-id <key ID> \ --subject "CN=$HOSTNAME" \ --ext /usr/share/pki/server/certs/sslserver.conf \ --csr sslserver.csr
The request will be stored in sslserver.csr
.
Availability: Since PKI 10.9.
To create a certificate request with SAN extension:
$ pki nss-cert-request \ --subject "CN=$HOSTNAME" \ --ext /usr/share/pki/server/certs/sslserver.conf \ --subjectAltName "critical, DNS:www.example.com, DNS:pki.example.com" \ --csr sslserver.csr
Availability: Since PKI 11.5.
Tip
|
To find a page in the Wiki, enter the keywords in search field, press Enter, then click Wikis. |