Skip to content

PKI NSS Certificate CLI

Jump to bottom
Endi S. Dewata edited this page Nov 12, 2021 · 13 revisions

Overview

The pki nss-cert commands can be used to manage certificates in an NSS database.

Certificate extensions

PKI NSS CLI can be used to create certificates and certificate requests with extensions. The extensions can be defined in a file (e.g. /usr/share/pki/server/certs/sslserver.conf):

basicConstraints       = critical, CA:FALSE
subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid:always
authorityInfoAccess    = OCSP;URI:http://ocsp.example.com, caIssuers;URI:http://cert.example.com
keyUsage               = critical, digitalSignature, keyEncipherment
extendedKeyUsage       = serverAuth, clientAuth
certificatePolicies    = 2.23.140.1.2.1, @cps_policy

cps_policy.id          = 1.3.6.1.4.1.44947.1.1.1
cps_policy.CPS.1       = http://cps.example.com

The format is similar to OpenSSL x509v3_config.

Listing Certificates in NSS Database

To list certificates in an NSS database:

$ pki nss-cert-find

Availability: Since PKI 11.1.

Creating Certificate Request in NSS Database

Issuing Certificate using NSS Database

To issue a self-signed certificate:

$ pki nss-cert-issue \
    --csr sslserver.csr \
    --ext sslserver.conf \
    --cert sslserver.crt

To issue a certificate signed by another certificate:

$ pki nss-cert-issue \
    --issuer ca_signing \
    --csr sslserver.csr \
    --ext sslserver.conf \
    --cert sslserver.crt

Availability: Since PKI 10.9.

Importing Certificate into NSS Database

$ pki nss-cert-import [nickname] \
    --cert <filename> \
    --trust <attributes>

Availability: Since PKI 10.9.

Tip
 To find a page in the Wiki, enter the keywords in search field, press Enter, then click Wikis.
Clone this wiki locally