Issuing SSL Server Certificate with PKI NSS - dogtagpki/pki GitHub Wiki

Issuing a Certificate

To issue a certificate, prepare a certificate extension configuration in a file (e.g. /usr/share/pki/server/certs/sslserver.conf):

basicConstraints       = critical, CA:FALSE
subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid:always
authorityInfoAccess    = OCSP;URI:http://ocsp.example.com, caIssuers;URI:http://cert.example.com
keyUsage               = critical, digitalSignature, keyEncipherment
extendedKeyUsage       = serverAuth, clientAuth

certificatePolicies    = 2.23.140.1.2.1, @cps_policy
cps_policy.id          = 1.3.6.1.4.1.44947.1.1.1
cps_policy.CPS.1       = http://cps.example.com

To issue a self-signed certificate:

$ pki nss-cert-issue \
    --csr sslserver.csr \
    --ext /usr/share/pki/server/certs/sslserver.conf \
    --cert sslserver.crt

To issue a certificate signed by a CA certificate, specify the CA certificate nickname:

$ pki nss-cert-issue \
    --issuer ca_signing \
    --csr sslserver.csr \
    --ext sslserver.conf \
    --cert sslserver.crt

Availability: PKI 10.9

See Also

Tip
 To find a page in the Wiki, enter the keywords in search field, press Enter, then click Wikis.
⚠️ **GitHub.com Fallback** ⚠️