Generating KRA Transport CSR with NSS - dogtagpki/pki GitHub Wiki
$ certutil -R \ -d nssdb \ -f password.txt \ -z noise.bin \ -s "CN=DRM Transport Certificate,OU=pki-tomcat,O=EXAMPLE" \ -o kra_transport.csr.der \ -k rsa \ -g 2048 \ -Z SHA256 \ --keyUsage critical,dataEncipherment,keyEncipherment,digitalSignature,nonRepudiation \ --extKeyUsage clientAuth $ openssl req -inform der -in kra_transport.csr.der -out kra_transport.csr
If the CSR is missing, it can be restored from the existing certificate and key with the following commands:
$ certutil -R \ -d nssdb \ -f password.txt \ -z noise.bin \ -s "CN=DRM Transport Certificate,OU=pki-tomcat,O=EXAMPLE" \ -o kra_transport.csr.der \ -k "kra_transport" \ -g 2048 \ -Z SHA256 \ --keyUsage critical,dataEncipherment,keyEncipherment,digitalSignature,nonRepudiation \ --extKeyUsage clientAuth $ openssl req -inform der -in kra_transport.csr.der -out kra_transport.csr
$ openssl req -text -noout -in kra_transport.csr Certificate Request: Data: Version: 1 (0x0) Subject: O = EXAMPLE, OU = pki-tomcat, CN = DRM Transport Certificate Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:aa:02:75:c8:c5:0d:59:2a:2c:c9:cc:0f:c2:e9: 90:1c:b3:95:5e:e8:f0:c8:c5:e7:71:c5:fe:f3:4a: cf:94:db:ce:3e:36:ee:98:f3:c3:bf:cf:1d:95:b5: 88:4f:95:0f:2f:29:71:be:e7:2b:f4:f5:cc:46:58: 42:ed:b3:f0:bc:b1:47:c0:32:53:fc:52:61:96:8b: 60:ef:60:fe:a2:8d:cd:94:bd:07:93:0f:a5:c4:e5: 45:1f:f4:72:c0:c6:44:b5:19:70:f5:7b:ed:73:cf: 21:74:dd:90:c7:59:0c:c7:84:da:68:2a:3b:9a:8a: 67:ee:88:f6:1c:d2:ae:7a:cd:e0:02:1a:c7:c9:69: 71:ce:b1:1e:9d:3d:59:2d:04:2a:8f:e4:ca:42:f2: 47:af:dd:d5:52:9a:67:85:9a:b1:fc:c5:a3:c9:4b: 89:57:ad:1d:5d:2b:6f:47:97:21:84:1c:51:d4:56: b2:99:ce:d6:a6:ac:8c:b4:74:18:c0:cf:aa:c2:ff: d6:44:dd:76:56:ac:7c:fd:79:9c:1f:72:f1:04:78: c6:9b:c5:25:5a:dd:39:db:e5:22:db:95:43:ce:b3: ae:1c:1c:c9:ef:09:cf:e9:db:60:b8:d2:02:7f:b4: 73:e6:c2:4a:4e:68:59:3f:b1:2a:2b:b5:65:6c:d6: 19:85 Exponent: 65537 (0x10001) Attributes: Requested Extensions: X509v3 Extended Key Usage: TLS Web Client Authentication X509v3 Key Usage: critical Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment Signature Algorithm: sha256WithRSAEncryption 8c:2a:2b:fe:70:61:c8:2c:a6:44:46:81:18:16:6b:fd:3e:fe: 89:9c:c6:f4:dd:ab:3e:ed:96:22:ee:54:2d:fa:86:84:9f:b1: c8:f5:18:9a:f6:4e:00:9a:8f:b1:15:f4:71:4f:35:3a:62:db: 91:53:e8:35:cb:53:ea:16:9a:45:9b:0a:fd:e0:d8:39:5b:bf: 60:62:1e:76:b9:85:87:9f:dc:47:5d:a9:d8:52:b6:2d:72:b3: ca:a4:44:bc:0f:c4:99:27:01:4d:d8:08:0b:eb:2a:5b:e6:90: 71:1a:b3:4f:fe:c0:a7:d1:1e:9b:52:7d:9a:8e:8c:0f:16:eb: e1:ff:38:ed:de:dc:cd:1e:45:9c:13:45:5c:43:8e:5b:fa:c5: f4:4a:f3:1d:66:76:bc:4a:8d:86:a9:cd:ef:f0:03:ee:9d:44: 02:2e:47:b1:a0:5f:31:2d:0b:e7:15:45:f9:4d:e9:88:77:38: ab:62:d1:9e:66:98:17:f3:39:ed:10:db:06:57:f5:f0:df:18: 7e:b5:17:ed:fc:de:ef:5a:df:72:2c:44:76:95:05:9a:e3:fe: 0b:af:9a:e9:6f:30:4f:f5:2d:75:24:75:03:fd:6e:1b:59:93: cf:ae:a6:46:3e:ba:ac:59:7d:1d:cc:0f:c8:b1:70:55:1f:c8: 3e:02:a8:64