Issuing CA Signing Certificate with NSS - dogtagpki/pki GitHub Wiki

Overview

This page describes the process to issue CA signing certificate using NSS provided the CA signing CSR.

This page assumes an NSS database has been created as follows:

$ echo Secret.123 > password.txt
$ openssl rand -out noise.bin 2048
$ mkdir nssdb
$ certutil -N -d nssdb -f password.txt

Issuing Self-signed CA Signing Certificate

If the CSR was generated in the same NSS database, it can be self-signed with the following commands:

$ CA_SKID="0x`openssl rand -hex 20`"
$ OCSP="http://$HOSTNAME:8080/ca/ocsp"
$ echo -e "y\n\ny\ny\n${CA_SKID}\n\n\n\n${CA_SKID}\n\n2\n7\n${OCSP}\n\n\n\n" | \
    certutil -C \
    -x \
    -d nssdb \
    -f password.txt \
    -m $RANDOM \
    -a \
    -i ca_signing.csr \
    -o ca_signing.crt \
    -2 \
    -3 \
    --extAIA \
    --extSKID \
    --keyUsage critical,certSigning,crlSigning,digitalSignature,nonRepudiation

It will generate the CA signing certificate in ca_signing.crt.

Issuing Subordinate CA Signing Certificate

Regardless where the CSR was generated, it can be signed by another CA signing certificate.

For example, create a self-signed root CA signing certificate with the following commands:

$ ROOTCA_SKID="0x`openssl rand -hex 20`"
$ OCSP="http://$HOSTNAME:8080/ca/ocsp"
$ echo -e "y\n\ny\ny\n${ROOTCA_SKID}\n\n\n\n${ROOTCA_SKID}\n\n2\n7\n${OCSP}\n\n\n\n" | \
    certutil -S \
    -x \
    -d nssdb \
    -f password.txt \
    -z noise.bin \
    -n "Root Certificate Authority" \
    -s "CN=Root Certificate Authority,O=EXAMPLE" \
    -t "CT,C,C" \
    -m $RANDOM\
    -k rsa \
    -g 2048 \
    -Z SHA256 \
    -2 \
    -3 \
    --extAIA \
    --extSKID \
    --keyUsage critical,certSigning,crlSigning,digitalSignature,nonRepudiation

Then sign the CSR with the root CA signing certificate with the following commands:

$ CA_SKID="0x`openssl rand -hex 20`"
$ echo -e "y\n\ny\ny\n${ROOTCA_SKID}\n\n\n\n${CA_SKID}\n\n2\n7\n${OCSP}\n\n\n\n" | \
    certutil -C \
    -d nssdb \
    -f password.txt \
    -m $RANDOM \
    -a \
    -i ca_signing.csr \
    -o ca_signing.crt \
    -c "Root Certificate Authority" \
    -2 \
    -3 \
    --extAIA \
    --extSKID \
    --keyUsage critical,certSigning,crlSigning,digitalSignature,nonRepudiation

It will generate the CA signing certificate in ca_signing.crt.

References

⚠️ **GitHub.com Fallback** ⚠️