Adding System Certificate Request Extensions - dogtagpki/pki GitHub Wiki

Overview

CSR extensions can be added into any system certificate’s CSR during installation (see Two-Step Installation). The extensions cannot be added after installation.

Configuration

To add CSR extensions, edd the following parameters into /var/lib/pki-tomcat/<subsystem>/conf/CS.cfg:

preop.cert.<tag>.ext.oid=<OID>
preop.cert.<tag>.ext.data=<hex-encoded data>
preop.cert.<tag>.ext.critical=<true|false>

The <tag> is the ID of the system certificate whose CSR will contain the specified extension. The valid certificate IDs are listed in <subsystem>.cert.list in CS.cfg which are different for each subsystem. For CA the valid certificate IDs are signing, ocsp_signing, sslserver, subsystem, audit_signing. Currently only one extension can be added to each CSR (in addition to the default ones).

See Also

⚠️ **GitHub.com Fallback** ⚠️