Skip to content

Generating SSL Server CSR with PKI NSS

Jump to bottom
Endi S. Dewata edited this page Sep 29, 2023 · 6 revisions

Configuring CSR Extensions

To create a CSR with extensions, prepare the CSR extension configuration file (e.g. /usr/share/pki/server/certs/sslserver.conf):

basicConstraints       = critical, CA:FALSE
subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid:always
authorityInfoAccess    = OCSP;URI:http://ocsp.example.com, caIssuers;URI:http://cert.example.com
keyUsage               = critical, digitalSignature, keyEncipherment
extendedKeyUsage       = serverAuth, clientAuth

certificatePolicies    = 2.23.140.1.2.1, @cps_policy
cps_policy.id          = 1.3.6.1.4.1.44947.1.1.1
cps_policy.CPS.1       = http://cps.example.com

Generating CSR

$ pki nss-cert-request \
    --subject "CN=server.example.com" \
    --ext /usr/share/pki/server/certs/sslserver.conf \
    --csr sslserver.csr

Availability: PKI 10.9

Generating CSR with SAN Extension

Prior to PKI 11.5 the SAN extension needs to be specified in the CSR extension configuration file. Since PKI 11.5 the SAN extension can be specified as a CLI parameter:

$ pki nss-cert-request \
    --subject "CN=server.example.com" \
    --ext /usr/share/pki/server/certs/sslserver.conf \
    --subjectAltName "critical, DNS:www.example.com" \
    --csr sslserver.csr

See Also

Tip
 To find a page in the Wiki, enter the keywords in search field, press Enter, then click Wikis.
Clone this wiki locally