Generating SSL Server CSR with PKI CLI

Generating CSR

To create a certificate request, prepare a certificate extension configuration (e.g. sslserver.conf):

basicConstraints       = critical, CA:FALSE
subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid:always
authorityInfoAccess    = OCSP;URI:http://ocsp.example.com, caIssuers;URI:http://cert.example.com
keyUsage               = critical, digitalSignature, keyEncipherment
extendedKeyUsage       = serverAuth, clientAuth
certificatePolicies    = 2.23.140.1.2.1, @cps_policy

cps_policy.id          = 1.3.6.1.4.1.44947.1.1.1
cps_policy.CPS.1       = http://cps.example.com

Then execute the following command:

$ pki nss-cert-request \
    --subject "CN=$HOSTNAME" \
    --ext sslserver.conf \
    --csr sslserver.csr

Availability: PKI 10.9

See Also

• Generating System Certificates

• Generating SSL Server Certificate

• Issuing SSL Server Certificate with PKI CLI

• PKI NSS CLI