Generating SSL Server CSR with NSS - dogtagpki/pki GitHub Wiki

Generating CSR

To generate a basic certificate request:

$ certutil -R \
   -d nssdb \
   -f password.txt \
   -z noise.bin \
   -k rsa \
   -g 2048 \
   -Z SHA256 \
   -s "CN=$HOSTNAME,O=EXAMPLE" \
   --keyUsage critical,dataEncipherment,keyEncipherment,digitalSignature \
   --extKeyUsage serverAuth \
   -o sslserver.csr.der
$ openssl req -inform der -in sslserver.csr.der -out sslserver.csr

To generate a certificate request with SAN:

$ certutil -R \
   -d nssdb \
   -f password.txt \
   -z noise.bin \
   -k rsa \
   -g 2048 \
   -Z SHA256 \
   -s "CN=pki.example.com,O=EXAMPLE" \
   --extSAN dns:www.example.com,dns:www.example.org \
   --keyUsage critical,dataEncipherment,keyEncipherment,digitalSignature \
   --extKeyUsage serverAuth \
   -o sslserver.csr.der
$ openssl req -inform der -in sslserver.csr.der -out sslserver.csr

Restoring CSR

If the CSR is missing, it can be restored from the existing certificate and key with the following commands:

$ certutil -R \
   -d nssdb \
   -f password.txt \
   -z noise.bin \
   -k "sslserver" \
   -g 2048 \
   -Z SHA256 \
   -s "CN=$HOSTNAME,O=EXAMPLE" \
   --keyUsage critical,dataEncipherment,keyEncipherment,digitalSignature \
   --extKeyUsage serverAuth \
   -o sslserver.csr.der
$ openssl req -inform der -in sslserver.csr.der -out sslserver.csr

Verification

$ openssl req -text -noout -in sslserver.csr
Certificate Request:
    Data:
        Version: 1 (0x0)
        Subject: O = EXAMPLE, CN = pki.example.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:b9:e6:10:a2:7f:bd:48:97:ad:14:89:b7:1a:9a:
                    fc:1e:c4:58:58:e5:07:36:b7:a8:8e:25:87:14:c2:
                    55:79:f2:41:12:2d:5b:d2:b2:c6:15:1e:ef:44:84:
                    25:56:bb:21:b2:42:82:2d:d6:9b:8d:d4:da:0d:30:
                    ea:f4:03:dc:b4:79:61:e5:85:2b:61:6a:af:7b:9d:
                    46:ec:dc:32:e4:cc:d3:85:16:7a:2c:70:63:88:64:
                    70:c4:d1:f5:73:d0:08:b5:e2:4c:e1:1b:2d:3b:d1:
                    44:c3:a1:59:44:4b:26:be:b1:bc:89:0d:fc:13:2c:
                    1a:a6:fd:60:74:ab:94:ee:4b:cd:d4:a5:f4:33:60:
                    de:a8:06:a8:81:f8:4c:90:d4:90:70:33:2e:c7:80:
                    20:5b:4c:e4:41:32:91:76:30:05:03:d6:f5:c1:81:
                    cb:8d:fb:83:3e:61:53:26:c3:80:2b:b7:82:50:4e:
                    60:98:46:d6:2c:15:32:d0:47:24:ad:f7:21:a5:fc:
                    94:55:85:e4:13:08:a0:9c:d1:e8:0f:f8:e1:6b:ee:
                    9f:39:45:4b:9e:0d:a3:c6:73:d4:18:47:80:15:98:
                    34:ec:1b:dd:c2:a9:eb:8d:05:69:61:93:4c:b5:e5:
                    16:53:28:77:89:ae:6a:f1:b1:26:e2:3d:93:86:80:
                    01:f7
                Exponent: 65537 (0x10001)
        Attributes:
        Requested Extensions:
            X509v3 Extended Key Usage:
                TLS Web Server Authentication
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment, Data Encipherment
    Signature Algorithm: sha256WithRSAEncryption
         7b:51:1d:07:91:8d:7e:6c:bf:aa:f1:0e:61:ae:a3:02:e4:cd:
         e5:c2:98:36:39:83:f5:b6:47:80:ed:12:56:3c:f3:ad:e6:a2:
         b5:01:26:85:75:4f:2a:7d:9e:b6:98:87:5d:54:64:49:72:c0:
         8d:8f:f2:fa:41:a4:bb:fe:74:15:58:d7:86:c2:49:da:43:8b:
         85:93:26:b0:e2:57:8f:63:6f:92:63:8d:0f:eb:b4:ba:11:97:
         37:e7:04:30:73:d0:1c:db:b1:45:2b:11:60:45:d7:b2:5e:b3:
         e2:61:43:7b:e6:2b:4d:d3:ea:b6:ee:a9:e7:0b:40:2d:f4:7d:
         20:de:e1:dd:14:4f:39:35:3c:02:2e:50:d1:23:46:5e:5e:5a:
         48:d6:95:2f:b6:1b:15:81:b5:90:c1:10:76:0c:50:09:33:88:
         a8:e7:6d:84:6f:c1:de:0f:a3:69:ec:19:db:be:c9:49:d9:30:
         e7:67:b5:9b:d3:86:2b:4d:e7:b3:00:fc:af:12:b4:86:3b:55:
         53:67:e0:36:1e:c8:bd:14:65:be:8f:56:3c:90:e4:48:8f:c3:
         19:29:73:13:b9:f9:7b:3b:73:e4:34:c4:0f:b5:88:b1:8c:c0:
         6b:2a:70:36:44:c0:b2:d5:2a:be:e2:92:50:42:78:0e:52:fc:
         7c:1b:d5:fd

See Also

⚠️ **GitHub.com Fallback** ⚠️