PKI NSS Certificate Extensions - dogtagpki/pki Wiki
Overview
Warning
|
This functionality is still under development and may change in the future. |
This page describes how to create the extension configuration for creating a certificate or a certificate request using PKI NSS Certificate CLI.
The extension configuration is similar to OpenSSL’s extension configuration, but pki nss-cert
's extension configuration uses Java Properties format whereas OpenSSL’s extension configuration uses INI format. See OpenSSL x509v3_config for details.
Examples are available in /usr/share/pki/server/certs:
Basic Constraints Extension
The Basic Constraints extension can be specified in the basicConstraints
property, for example:
basicConstraints = critical, CA:FALSE
Supported extension values:
-
critical
-
CA:<boolean>
-
pathlen:<integer>
Key Usage Extension
The Key Usage extension can be specified in the keyUsage
property, for example:
keyUsage = critical, digitalSignature, keyEncipherment
Supported extension values:
-
critical
-
digitalSignature
-
nonRepudiation
-
keyEncipherment
-
dataEncipherment
-
keyAgreement
-
keyCertSign
-
cRLSign
-
encipherOnly
-
decipherOnly
Extended Key Usage Extension
The Extended Key Usage extension can be specified in the extendedKeyUsage
property, for example:
extendedKeyUsage = serverAuth, clientAuth
Supported extension values:
-
critical
-
serverAuth
-
clientAuth
-
emailProtection
-
OCSPSigning
Subject Key Identifier Extension
The Subject Key Identifier extension can be specified in the subjectKeyIdentifier
property.
To generate the extension with the first method defined in RFC 5280 Section 4.2.1.2:
subjectKeyIdentifier = hash
To generate the extension with the specified identifier:
subjectKeyIdentifier = <hex>:<hex>:...:<hex>
Supported extension values:
-
critical
-
hash
-
<hex>:<hex>:…:<hex>
Authority Key Identifier Extension
The Authority Key Identifier extension can be specified in the authorityKeyIdentifier
property, for example:
authorityKeyIdentifier = keyid:always
Supported extension values:
-
keyid
-
keyid:always
Authority Info Access Extension
The Authority Info Access extension can be specified in the authorityInfoAccess
property, for example:
authorityInfoAccess = OCSP;URI:http://ocsp.example.com, caIssuers;URI:http://cert.example.com
Supported extension values:
-
caIssuers;URI:<URI>
-
OCSP;URI:<URI>
Certificate Policies Extension
The Certificate Policies extension can be specified in the certificatePolicies
property, for example:
certificatePolicies = 2.23.140.1.2.1, @cps_policy cps_policy.id = 1.3.6.1.4.1.44947.1.1.1 cps_policy.CPS.1 = http://cps.example.com
Supported extension values:
-
<OID>
-
@<policy>
Each policy can be specified in separate properties:
-
<policy>.id
-
<policy>.CPS.<id>
OCSP No Check Extension
The OCSP No Check extension can be specified in the noCheck
property, for example:
noCheck = ignored
Supported extension values:
-
ignored
Subject Alternative Name Extension
The Subject Alternative Name extension can be specified in the subjectAltName
property, for example:
subjectAltName = DNS:request_subject_cn, DNS:request_san_ext
Supported extension values:
-
DNS:request_subject_cn
-
DNS:request_san_ext
Generic Extensions
Generic extensions can be specified in the genericExtensions
property, for example:
genericExtensions = 1.3.6.1.4.1.311.20.2 1.3.6.1.4.1.311.20.2 = DER:1E:0A:00:53:00:75:00:62:00:43:00:41
Supported extension values:
-
<OID>
Each generic extension can be specified in a <OID>
property which supports the following values:
-
critical
-
DER:<hex>:<hex>:…:<hex>