Generating CA Signing CSR with PKI NSS - dogtagpki/pki GitHub Wiki

Generating CSR

To create a certificate request, prepare a certificate extension configuration (e.g. /usr/share/pki/server/certs/ca_signing.conf):

basicConstraints       = critical, CA:TRUE
subjectKeyIdentifier   = hash
keyUsage               = critical, digitalSignature, keyCertSign, cRLSign

Then execute the following command:

$ pki nss-cert-request \
    --subject "CN=Certificate Authority" \
    --ext /usr/share/pki/server/certs/ca_signing.conf \
    --csr ca_signing.csr

The above command will create a new certificate request with a new key.

To create a certificate request with an existing key, execute the following command:

$ pki nss-cert-request \
    --key-id <key ID> \
    --subject "CN=Certificate Authority" \
    --ext /usr/share/pki/server/certs/ca_signing.conf \
    --csr ca_signing.csr

Availability: PKI 10.9

See Also

Tip
 To find a page in the Wiki, enter the keywords in search field, press Enter, then click Wikis.
⚠️ **GitHub.com Fallback** ⚠️