-
Notifications
You must be signed in to change notification settings - Fork 139
PKI NSS Certificate CLI
Endi S. Dewata edited this page Nov 12, 2021
·
13 revisions
The pki nss-cert
commands can be used to manage certificates in an NSS database.
PKI NSS CLI can be used to create certificates and certificate requests with extensions. The extensions can be defined in a file (e.g. /usr/share/pki/server/certs/sslserver.conf):
basicConstraints = critical, CA:FALSE subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always authorityInfoAccess = OCSP;URI:http://ocsp.example.com, caIssuers;URI:http://cert.example.com keyUsage = critical, digitalSignature, keyEncipherment extendedKeyUsage = serverAuth, clientAuth certificatePolicies = 2.23.140.1.2.1, @cps_policy cps_policy.id = 1.3.6.1.4.1.44947.1.1.1 cps_policy.CPS.1 = http://cps.example.com
The format is similar to OpenSSL x509v3_config.
To list certificates in an NSS database:
$ pki nss-cert-find
Availability: Since PKI 11.1.
To issue a self-signed certificate:
$ pki nss-cert-issue \ --csr sslserver.csr \ --ext sslserver.conf \ --cert sslserver.crt
To issue a certificate signed by another certificate:
$ pki nss-cert-issue \ --issuer ca_signing \ --csr sslserver.csr \ --ext sslserver.conf \ --cert sslserver.crt
Availability: Since PKI 10.9.
$ pki nss-cert-import [nickname] \ --cert <filename> \ --trust <attributes>
Availability: Since PKI 10.9.
Tip
|
To find a page in the Wiki, enter the keywords in search field, press Enter, then click Wikis. |