-
Notifications
You must be signed in to change notification settings - Fork 139
Generating SSL Server CSR with PKI NSS
Endi S. Dewata edited this page Sep 29, 2023
·
6 revisions
To create a CSR with extensions, prepare the CSR extension configuration file (e.g. /usr/share/pki/server/certs/sslserver.conf):
basicConstraints = critical, CA:FALSE subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always authorityInfoAccess = OCSP;URI:http://ocsp.example.com, caIssuers;URI:http://cert.example.com keyUsage = critical, digitalSignature, keyEncipherment extendedKeyUsage = serverAuth, clientAuth certificatePolicies = 2.23.140.1.2.1, @cps_policy cps_policy.id = 1.3.6.1.4.1.44947.1.1.1 cps_policy.CPS.1 = http://cps.example.com
$ pki nss-cert-request \ --subject "CN=server.example.com" \ --ext /usr/share/pki/server/certs/sslserver.conf \ --csr sslserver.csr
Availability: PKI 10.9
Prior to PKI 11.5 the SAN extension needs to be specified in the CSR extension configuration file. Since PKI 11.5 the SAN extension can be specified as a CLI parameter:
$ pki nss-cert-request \ --subject "CN=server.example.com" \ --ext /usr/share/pki/server/certs/sslserver.conf \ --subjectAltName "critical, DNS:www.example.com" \ --csr sslserver.csr
Tip
|
To find a page in the Wiki, enter the keywords in search field, press Enter, then click Wikis. |