Difference between revisions of "Generating SSL Server CSR with PKI CLI"

From Dogtag
Jump to: navigation, search
m (See Also)
m (See Also)
Line 31: Line 31:
* [[Generating System Certificates]]
* [[Generating System Certificates]]
* [[Generating SSL Server Certificate]]
* [[Generating SSL Server Certificate]]
* [[Issuing SSL Server Certificate with PKI CLI]]

Latest revision as of 00:31, 25 June 2020

Generating CSR

To create a certificate request, prepare a certificate extension configuration (e.g. sslserver.conf):

basicConstraints       = critical, CA:FALSE
subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid:always
authorityInfoAccess    = OCSP;URI:http://ocsp.example.com, caIssuers;URI:http://cert.example.com
keyUsage               = critical, digitalSignature, keyEncipherment
extendedKeyUsage       = serverAuth, clientAuth
certificatePolicies    =, @cps_policy

cps_policy.id          =
cps_policy.CPS.1       = http://cps.example.com

Then execute the following command:

$ pki nss-cert-request \
    --subject "CN=$HOSTNAME" \
    --ext sslserver.conf \
    --csr sslserver.csr

Availability: PKI 10.9

See Also