Skip to content

Issuing Certificate with PKI NSS

Endi S. Dewata edited this page Jun 21, 2022 · 4 revisions

Overview

The pki nss-cert-issue command can be used to issue a certificate. The certificate extension can be defined in a file (e.g. /usr/share/pki/server/certs/sslserver.conf):

basicConstraints       = critical, CA:FALSE
subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid:always
authorityInfoAccess    = OCSP;URI:http://ocsp.example.com, caIssuers;URI:http://cert.example.com
keyUsage               = critical, digitalSignature, keyEncipherment
extendedKeyUsage       = serverAuth, clientAuth

certificatePolicies    = 2.23.140.1.2.1, @cps_policy
cps_policy.id          = 1.3.6.1.4.1.44947.1.1.1
cps_policy.CPS.1       = http://cps.example.com

Issuing Self-Signed Certificate

To issue a self-signed certificate:

$ pki nss-cert-issue \
    --csr sslserver.csr \
    --ext sslserver.conf \
    --cert sslserver.crt

The certificate will be stored in sslserver.crt.

Availability: Since PKI 10.9.

Issuing CA-Signed Certificate

To issue a certificate signed by a CA certificate:

$ pki nss-cert-issue \
    --issuer ca_signing \
    --csr sslserver.csr \
    --ext sslserver.conf \
    --cert sslserver.crt

The certificate will be stored in sslserver.crt.

Availability: Since PKI 10.9.

Clone this wiki locally