Difference between revisions of "Issuing SSL Server Certificate with PKI CLI"

From Dogtag
Jump to: navigation, search
(Created page with "= Creating a certificate = To issue a certificate, prepare a certificate extension configuration in a file (e.g. sslserver.conf): <pre> basicConstraints = critical, CA...")
 
m
 
Line 1: Line 1:
= Creating a certificate =
+
= Issuing a Certificate =
  
 
To issue a certificate, prepare a certificate extension configuration in a file (e.g. sslserver.conf):
 
To issue a certificate, prepare a certificate extension configuration in a file (e.g. sslserver.conf):
Line 36: Line 36:
  
 
Availability: PKI 10.9
 
Availability: PKI 10.9
 +
 +
= See Also =
 +
 +
* [[Generating System Certificates]]
 +
* [[Generating SSL Server Certificate]]
 +
* [[Generating SSL Server CSR with PKI CLI]]
 +
* [[PKI NSS CLI]]

Latest revision as of 00:30, 25 June 2020

Issuing a Certificate

To issue a certificate, prepare a certificate extension configuration in a file (e.g. sslserver.conf):

basicConstraints       = critical, CA:FALSE
subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid:always
authorityInfoAccess    = OCSP;URI:http://ocsp.example.com, caIssuers;URI:http://cert.example.com
keyUsage               = critical, digitalSignature, keyEncipherment
extendedKeyUsage       = serverAuth, clientAuth
certificatePolicies    = 2.23.140.1.2.1, @cps_policy

cps_policy.id          = 1.3.6.1.4.1.44947.1.1.1
cps_policy.CPS.1       = http://cps.example.com

To issue a self-signed certificate:

$ pki nss-cert-issue \
    --csr sslserver.csr \
    --ext sslserver.conf \
    --cert sslserver.crt

To issue a certificate signed by a CA certificate, specify the CA cert nickname:

$ pki nss-cert-issue \
    --issuer ca_signing \
    --csr sslserver.csr \
    --ext sslserver.conf \
    --cert sslserver.crt

Availability: PKI 10.9

See Also