Skip to content

Generating SSL Server CSR with PKI NSS

Endi S. Dewata edited this page Sep 29, 2023 · 6 revisions

Configuring CSR Extensions

To create a CSR with extensions, prepare the CSR extension configuration file (e.g. /usr/share/pki/server/certs/sslserver.conf):

basicConstraints       = critical, CA:FALSE
subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid:always
authorityInfoAccess    = OCSP;URI:http://ocsp.example.com, caIssuers;URI:http://cert.example.com
keyUsage               = critical, digitalSignature, keyEncipherment
extendedKeyUsage       = serverAuth, clientAuth

certificatePolicies    = 2.23.140.1.2.1, @cps_policy
cps_policy.id          = 1.3.6.1.4.1.44947.1.1.1
cps_policy.CPS.1       = http://cps.example.com

Generating CSR

$ pki nss-cert-request \
    --subject "CN=server.example.com" \
    --ext /usr/share/pki/server/certs/sslserver.conf \
    --csr sslserver.csr

Availability: PKI 10.9

Generating CSR with SAN Extension

Prior to PKI 11.5 the SAN extension needs to be specified in the CSR extension configuration file. Since PKI 11.5 the SAN extension can be specified as a CLI parameter:

$ pki nss-cert-request \
    --subject "CN=server.example.com" \
    --ext /usr/share/pki/server/certs/sslserver.conf \
    --subjectAltName "critical, DNS:www.example.com" \
    --csr sslserver.csr

See Also

Clone this wiki locally