Skip to content

Configuring ACME with NSS Issuer

Endi S. Dewata edited this page Dec 6, 2024 · 2 revisions

Overview

This document describes the process to configure ACME responder to issue certificates using a local NSS database.

Configuring ACME Issuer

A sample NSS issuer configuration is available at /usr/share/pki/acme/issuer/nss/issuer.conf.

To configure an NSS issuer, copy the sample issuer.conf into the /var/lib/pki/pki-tomcat/conf/acme folder, or execute the following command to customize some of the parameters:

$ pki-server acme-issuer-mod --type nss \
    -Dnickname=ca_signing

Customize the configuration as needed. The issuer.conf should look like the following:

class=org.dogtagpki.acme.issuer.NSSIssuer
nickname=ca_signing

The nickname parameter can be used to specify the nickname of the CA signing certificate. The default value is ca_signing.

The extensions parameter can be used to configure the certificate extensions for the issued certificates. The default value is /usr/share/pki/acme/issuer/nss/sslserver.conf. Sample extension configuration files are available at:

Customize the configuration as needed. The format is based on OpenSSL x509v3_config.

See Also

Clone this wiki locally