PKI NSS Certificate Extensions - dogtagpki/pki Wiki


This functionality is still under development and may change in the future.

This page describes how to create the extension configuration for creating a certificate or a certificate request using PKI NSS Certificate CLI.

The extension configuration is similar to OpenSSL’s extension configuration, but pki nss-cert 's extension configuration uses Java Properties format whereas OpenSSL’s extension configuration uses INI format. See OpenSSL x509v3_config for details.

Examples are available in /usr/share/pki/server/certs:

Basic Constraints Extension

The Basic Constraints extension can be specified in the basicConstraints property, for example:

basicConstraints       = critical, CA:FALSE

Supported extension values:

  • critical

  • CA:<boolean>

  • pathlen:<integer>

Key Usage Extension

The Key Usage extension can be specified in the keyUsage property, for example:

keyUsage               = critical, digitalSignature, keyEncipherment

Supported extension values:

  • critical

  • digitalSignature

  • nonRepudiation

  • keyEncipherment

  • dataEncipherment

  • keyAgreement

  • keyCertSign

  • cRLSign

  • encipherOnly

  • decipherOnly

Extended Key Usage Extension

The Extended Key Usage extension can be specified in the extendedKeyUsage property, for example:

extendedKeyUsage       = serverAuth, clientAuth

Supported extension values:

  • critical

  • serverAuth

  • clientAuth

  • emailProtection

  • OCSPSigning

Subject Key Identifier Extension

The Subject Key Identifier extension can be specified in the subjectKeyIdentifier property.

To generate the extension with the first method defined in RFC 5280 Section

subjectKeyIdentifier   = hash

To generate the extension with the specified identifier:

subjectKeyIdentifier   = <hex>:<hex>:...:<hex>

Supported extension values:

  • critical

  • hash

  • <hex>:<hex>:…​:<hex>

Authority Key Identifier Extension

The Authority Key Identifier extension can be specified in the authorityKeyIdentifier property, for example:

authorityKeyIdentifier = keyid:always

Supported extension values:

  • keyid

  • keyid:always

Authority Info Access Extension

The Authority Info Access extension can be specified in the authorityInfoAccess property, for example:

authorityInfoAccess    = OCSP;URI:, caIssuers;URI:

Supported extension values:

  • caIssuers;URI:<URI>


Certificate Policies Extension

The Certificate Policies extension can be specified in the certificatePolicies property, for example:

certificatePolicies    =, @cps_policy          =
cps_policy.CPS.1       =

Supported extension values:

  • <OID>

  • @<policy>

Each policy can be specified in separate properties:

  • <policy>.id

  • <policy>.CPS.<id>

OCSP No Check Extension

The OCSP No Check extension can be specified in the noCheck property, for example:

noCheck                = ignored

Supported extension values:

  • ignored

Subject Alternative Name Extension

The Subject Alternative Name extension can be specified in the subjectAltName property, for example:

subjectAltName         = DNS:request_subject_cn, DNS:request_san_ext

Supported extension values:

  • DNS:request_subject_cn

  • DNS:request_san_ext

Generic Extensions

Generic extensions can be specified in the genericExtensions property, for example:

genericExtensions      =   = DER:1E:0A:00:53:00:75:00:62:00:43:00:41

Supported extension values:

  • <OID>

Each generic extension can be specified in a <OID> property which supports the following values:

  • critical

  • DER:<hex>:<hex>:…​:<hex>

See Also

⚠️ ** Fallback** ⚠️