Issuing OCSP Signing Certificate with NSS - dogtagpki/pki GitHub Wiki
This page describes the process to sign the OCSP signing CSR and issue the certificate using NSS.
This page assumes an NSS database has been created as follows:
$ echo Secret.123 > password.txt $ openssl rand -out noise.bin 2048 $ mkdir nssdb $ certutil -N -d nssdb -f password.txt
It also assumes a CA signing certificate is present in the NSS database.
Sign the CSR with the CA signing certificate with the following commands:
$ CA_SKID=...
$ OCSP=...
$ echo -e "y\n\ny\ny\n${CA_SKID}\n\n\n\n2\n7\n${OCSP}\n\n\n\n" | \
certutil -C \
-d nssdb \
-f password.txt \
-m $RANDOM \
-a \
-i ocsp_signing.csr \
-o ocsp_signing.crt \
-c "ca_signing" \
-3 \
--extAIA \
--extKeyUsage ocspResponder \
--extGeneric 1.3.6.1.5.5.7.48.1.5:not-critical:/dev/null
It will generate the OCSP signing certificate in ocsp_signing.crt.