Skip to content

Generating Certificate Request with PKI NSS

Jump to bottom
Endi S. Dewata edited this page Jun 21, 2022 · 10 revisions

Overview

The pki nss-cert-request command can be used to generate a PKCS #10 request. The request extensions can be defined in a file (e.g. /usr/share/pki/server/certs/sslserver.conf).

basicConstraints       = critical, CA:FALSE
subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid:always
authorityInfoAccess    = OCSP;URI:http://ocsp.example.com, caIssuers;URI:http://cert.example.com
keyUsage               = critical, digitalSignature, keyEncipherment
extendedKeyUsage       = serverAuth, clientAuth

certificatePolicies    = 2.23.140.1.2.1, @cps_policy
cps_policy.id          = 1.3.6.1.4.1.44947.1.1.1
cps_policy.CPS.1       = http://cps.example.com

Creating Certificate Request with RSA Key

To create a certificate request with a new RSA key:

$ pki nss-cert-request \
    --subject "CN=$HOSTNAME" \
    --ext sslserver.conf \
    --csr sslserver.csr

The request will be stored in sslserver.csr.

Availability: Since PKI 10.9.

Creating Certificate Request with EC Key

To create a certificate request with a new EC key:

$ pki nss-cert-request \
    --key-type EC \
    --subject "CN=$HOSTNAME" \
    --ext sslserver.conf \
    --csr sslserver.csr

The request will be stored in sslserver.csr.

Availability: Since PKI 10.9.

Creating Certificate Request with Existing Key

To create a certificate request with an existing RSA/EC key:

$ pki nss-cert-request \
    --key-id <key ID> \
    --subject "CN=$HOSTNAME" \
    --ext sslserver.conf \
    --csr sslserver.csr

The request will be stored in sslserver.csr.

Availability: Since PKI 10.9.

See Also

Tip
 To find a page in the Wiki, enter the keywords in search field, press Enter, then click Wikis.
Clone this wiki locally