Skip to content

Issuing OCSP Signing Certificate with NSS

Endi S. Dewata edited this page Oct 28, 2020 · 2 revisions

Overview

This page describes the process to sign the OCSP signing CSR and issue the certificate using NSS.

This page assumes an NSS database has been created as follows:

$ echo Secret.123 > password.txt
$ openssl rand -out noise.bin 2048
$ mkdir nssdb
$ certutil -N -d nssdb -f password.txt

It also assumes a CA signing certificate is present in the NSS database.

Issuing OCSP Signing Certificate

Sign the CSR with the CA signing certificate with the following commands:

$ CA_SKID=...
$ OCSP=...
$ echo -e "y\n\ny\ny\n${CA_SKID}\n\n\n\n2\n7\n${OCSP}\n\n\n\n" | \
   certutil -C \
   -d nssdb \
   -f password.txt \
   -m $RANDOM \
   -a \
   -i ocsp_signing.csr \
   -o ocsp_signing.crt \
   -c "ca_signing" \
   -3 \
   --extAIA \
   --extKeyUsage ocspResponder \
   --extGeneric 1.3.6.1.5.5.7.48.1.5:not-critical:/dev/null

It will generate the OCSP signing certificate in ocsp_signing.crt.

See Also

Clone this wiki locally