Skip to content

Generating CA Signing CSR with PKI NSS

Jump to bottom
Endi S. Dewata edited this page Jul 12, 2022 · 3 revisions

Generating CSR

To create a certificate request, prepare a certificate extension configuration (e.g. /usr/share/pki/server/certs/ca_signing.conf):

basicConstraints       = critical, CA:TRUE
subjectKeyIdentifier   = hash
keyUsage               = critical, digitalSignature, keyCertSign, cRLSign

Then execute the following command:

$ pki nss-cert-request \
    --subject "CN=Certificate Authority" \
    --ext /usr/share/pki/server/certs/ca_signing.conf \
    --csr ca_signing.csr

The above command will create a new certificate request with a new key.

To create a certificate request with an existing key, execute the following command:

$ pki nss-cert-request \
    --key-id <key ID> \
    --subject "CN=Certificate Authority" \
    --ext /usr/share/pki/server/certs/ca_signing.conf \
    --csr ca_signing.csr

Availability: PKI 10.9

See Also

Tip
 To find a page in the Wiki, enter the keywords in search field, press Enter, then click Wikis.
Clone this wiki locally