Skip to content

Generating OCSP Signing CSR with NSS

Endi S. Dewata edited this page Oct 28, 2020 · 2 revisions

Generating CSR

$ certutil -R \
   -d nssdb \
   -f password.txt \
   -z noise.bin \
   -s "CN=OCSP Signing Certificate,OU=pki-tomcat,O=EXAMPLE" \
   -o ocsp_signing.csr.der \
   -k rsa \
   -g 2048 \
   -Z SHA256

If necessary, extensions can be added as follows:

$ certutil -R \
   ... \
   --extKeyUsage ocspResponder \
   --extGeneric 1.3.6.1.5.5.7.48.1.5:not-critical:/dev/null

Convert the CSR to PEM as follows:

$ openssl req -inform der -in ocsp_signing.csr.der -out ocsp_signing.csr

Restoring CSR

If the CSR is missing, it can be restored from the existing certificate and key with the following commands:

$ certutil -R \
   -d nssdb \
   -f password.txt \
   -z noise.bin \
   -s "CN=OCSP Signing Certificate,OU=pki-tomcat,O=EXAMPLE" \
   -o ocsp_signing.csr.der \
   -k "ocsp_signing" \
   -g 2048 \
   -Z SHA256

If necessary, extensions can be added as follows:

$ certutil -R \
   ... \
   --extKeyUsage ocspResponder \
   --extGeneric 1.3.6.1.5.5.7.48.1.5:not-critical:/dev/null

Convert the CSR to PEM as follows:

$ openssl req -inform der -in ocsp_signing.csr.der -out ocsp_signing.csr

Verification

$ openssl req -text -noout -in ocsp_signing.csr
Certificate Request:
    Data:
        Version: 1 (0x0)
        Subject: O = EXAMPLE, OU = pki-tomcat, CN = OCSP Signing Certificate
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:b2:96:ca:c7:58:98:db:1d:ce:62:bb:7c:19:f9:
                    ff:40:77:f4:bd:96:9b:83:0b:62:b9:1d:68:8c:9d:
                    da:59:e4:ff:a8:c4:99:e5:da:72:8d:f8:6e:e3:e9:
                    09:88:97:47:f7:f9:70:06:b5:a5:f1:eb:d0:a0:f1:
                    29:8b:3e:8f:09:82:9b:54:f8:ae:5b:17:e1:c4:e2:
                    92:4e:4c:21:88:9b:2e:f7:4f:5e:3b:26:ac:d8:87:
                    b7:02:05:fa:68:41:d8:5e:0d:64:a9:a5:9d:50:6f:
                    1f:7b:20:ae:10:24:69:84:7a:17:39:82:e8:1e:83:
                    85:4e:11:1f:1b:c4:8e:11:b8:3e:89:87:fc:f5:50:
                    95:f5:6b:25:40:81:42:ac:af:0d:72:1d:7b:e4:51:
                    c7:4e:72:2d:3a:ec:a1:d3:79:3a:41:7b:8f:e2:4f:
                    d6:60:9f:da:30:97:f5:b2:38:9f:9e:5c:76:3d:ff:
                    b1:6f:54:ea:46:75:11:4e:10:4d:f2:8c:e4:00:4e:
                    73:9c:1a:f9:9c:cd:08:d0:73:0a:06:a3:48:92:39:
                    f6:cc:55:ec:60:fd:a4:b8:4a:90:1b:36:b3:b9:0d:
                    83:1a:57:72:eb:f7:f1:9c:95:e6:d6:e8:9e:88:44:
                    0c:e2:65:26:ac:af:46:41:9a:b6:fb:ad:be:3e:40:
                    ce:b9
                Exponent: 65537 (0x10001)
        Attributes:
            a0:00
    Signature Algorithm: sha256WithRSAEncryption
         05:e1:15:f1:9c:4d:29:1f:d2:1b:d2:45:45:fb:13:d9:ed:c0:
         b2:31:5a:23:be:e9:cc:da:ea:00:23:5f:ae:69:aa:32:d8:d8:
         a1:53:c9:b5:d7:68:1c:70:eb:db:a8:e9:37:cb:dd:8e:75:ad:
         6c:3d:ae:4f:2a:e8:4f:3b:0a:81:06:8d:6a:64:bc:67:04:b2:
         fe:cf:6d:67:c9:38:d8:46:bf:e9:4a:ed:c3:b8:ca:ca:54:f9:
         0d:2a:6a:92:21:fb:e7:f3:61:9a:3e:54:eb:22:82:05:57:e6:
         60:76:78:35:f5:3a:70:c5:25:e1:d7:fe:f9:70:2b:78:12:78:
         b5:f0:d0:c4:84:89:ea:a3:31:ea:50:a8:c2:9c:89:c6:ed:be:
         e6:8e:4f:6c:14:df:5d:ff:2a:c8:e4:54:db:b0:9f:8c:90:89:
         81:3f:b8:c5:ef:c0:6f:df:28:6b:52:e2:2d:90:a0:3e:1a:2b:
         73:03:d8:b9:3c:a7:de:02:52:f3:af:09:d0:b4:b1:28:4a:88:
         0c:9e:8d:3b:67:88:ae:76:a0:88:78:b4:9b:05:5e:38:86:55:
         b3:da:b1:18:e5:2c:9c:ef:c3:f5:e5:1e:ab:fa:ff:c9:b8:c0:
         b4:5f:75:40:15:86:72:16:52:5d:5a:a4:a3:5f:55:85:71:1e:
         8b:20:a0:63

References

Clone this wiki locally