Creating Self Signed CA Signing Certificate with NSS - dogtagpki/pki GitHub Wiki
This page describes the several procedures to generate self-signed CA signing certificate using NSS.
This page assumes an NSS database has been created as follows:
$ echo Secret.123 > password.txt $ openssl rand -out noise.bin 2048 $ mkdir nssdb $ certutil -N -d nssdb -f password.txt
Issue the certificate with the following commands:
$ openssl rand -out noise.bin 2048
$ CA_SKID="0x`openssl rand -hex 20`"
$ OCSP="http://$HOSTNAME:8080/ca/ocsp"
$ echo -e "y\n\ny\ny\n${CA_SKID}\n\n\n\n${CA_SKID}\n\n2\n7\n${OCSP}\n\n\n\n" | \
certutil -S \
-x \
-d nssdb \
-f password.txt \
-z noise.bin \
-n ca_signing \
-s "CN=Certificate Authority,O=EXAMPLE" \
-t "CT,C,C" \
-m $RANDOM \
-k rsa \
-g 2048 \
-Z SHA256 \
-2 \
-3 \
--keyUsage critical,certSigning,crlSigning,digitalSignature,nonRepudiation \
--extAIA \
--extSKID
$ certutil -L -d nssdb -n ca_signing -a > ca_signing.crt
It will generate the certificate in ca_signing.crt.
Generate a CSR with the following commands:
$ openssl rand -out noise.bin 2048
$ echo -e "y\n\ny\n" | \
certutil -R \
-d nssdb \
-f password.txt \
-z noise.bin \
-s "CN=Certificate Authority,O=EXAMPLE" \
-o ca_signing.csr.der \
-k rsa \
-g 2048 \
-Z SHA256 \
-2 \
--keyUsage critical,certSigning,crlSigning,digitalSignature,nonRepudiation
$ openssl req -inform der -in ca_signing.csr.der -out ca_signing.csr
It will generate the CSR in ca_signing.csr.
Sign the CSR with the following commands:
$ CA_SKID="0x`openssl rand -hex 20`"
$ OCSP="http://$HOSTNAME:8080/ca/ocsp"
$ echo -e "y\n\ny\ny\n${CA_SKID}\n\n\n\n${CA_SKID}\n\n2\n7\n${OCSP}\n\n\n\n" | \
certutil -C \
-x \
-d nssdb \
-f password.txt \
-m $RANDOM \
-a \
-i ca_signing.csr \
-o ca_signing.crt \
-2 \
-3 \
--keyUsage critical,certSigning,crlSigning,digitalSignature,nonRepudiation \
--extAIA \
--extSKID
$ certutil -A -d nssdb -n "Certificate Authority" -i ca_signing.crt -t "CT,C,C"
It will generate the CA signing certificate in ca_signing.crt.