-
Notifications
You must be signed in to change notification settings - Fork 139
Generating SSL Server CSR with NSS
Endi S. Dewata edited this page Jan 20, 2022
·
3 revisions
To generate a basic certificate request:
$ certutil -R \ -d nssdb \ -f password.txt \ -z noise.bin \ -k rsa \ -g 2048 \ -Z SHA256 \ -s "CN=$HOSTNAME,O=EXAMPLE" \ --keyUsage critical,dataEncipherment,keyEncipherment,digitalSignature \ --extKeyUsage serverAuth \ -o sslserver.csr.der $ openssl req -inform der -in sslserver.csr.der -out sslserver.csr
To generate a certificate request with SAN:
$ certutil -R \ -d nssdb \ -f password.txt \ -z noise.bin \ -k rsa \ -g 2048 \ -Z SHA256 \ -s "CN=pki.example.com,O=EXAMPLE" \ --extSAN dns:www.example.com,dns:www.example.org \ --keyUsage critical,dataEncipherment,keyEncipherment,digitalSignature \ --extKeyUsage serverAuth \ -o sslserver.csr.der $ openssl req -inform der -in sslserver.csr.der -out sslserver.csr
If the CSR is missing, it can be restored from the existing certificate and key with the following commands:
$ certutil -R \ -d nssdb \ -f password.txt \ -z noise.bin \ -k "sslserver" \ -g 2048 \ -Z SHA256 \ -s "CN=$HOSTNAME,O=EXAMPLE" \ --keyUsage critical,dataEncipherment,keyEncipherment,digitalSignature \ --extKeyUsage serverAuth \ -o sslserver.csr.der $ openssl req -inform der -in sslserver.csr.der -out sslserver.csr
$ openssl req -text -noout -in sslserver.csr Certificate Request: Data: Version: 1 (0x0) Subject: O = EXAMPLE, CN = pki.example.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:b9:e6:10:a2:7f:bd:48:97:ad:14:89:b7:1a:9a: fc:1e:c4:58:58:e5:07:36:b7:a8:8e:25:87:14:c2: 55:79:f2:41:12:2d:5b:d2:b2:c6:15:1e:ef:44:84: 25:56:bb:21:b2:42:82:2d:d6:9b:8d:d4:da:0d:30: ea:f4:03:dc:b4:79:61:e5:85:2b:61:6a:af:7b:9d: 46:ec:dc:32:e4:cc:d3:85:16:7a:2c:70:63:88:64: 70:c4:d1:f5:73:d0:08:b5:e2:4c:e1:1b:2d:3b:d1: 44:c3:a1:59:44:4b:26:be:b1:bc:89:0d:fc:13:2c: 1a:a6:fd:60:74:ab:94:ee:4b:cd:d4:a5:f4:33:60: de:a8:06:a8:81:f8:4c:90:d4:90:70:33:2e:c7:80: 20:5b:4c:e4:41:32:91:76:30:05:03:d6:f5:c1:81: cb:8d:fb:83:3e:61:53:26:c3:80:2b:b7:82:50:4e: 60:98:46:d6:2c:15:32:d0:47:24:ad:f7:21:a5:fc: 94:55:85:e4:13:08:a0:9c:d1:e8:0f:f8:e1:6b:ee: 9f:39:45:4b:9e:0d:a3:c6:73:d4:18:47:80:15:98: 34:ec:1b:dd:c2:a9:eb:8d:05:69:61:93:4c:b5:e5: 16:53:28:77:89:ae:6a:f1:b1:26:e2:3d:93:86:80: 01:f7 Exponent: 65537 (0x10001) Attributes: Requested Extensions: X509v3 Extended Key Usage: TLS Web Server Authentication X509v3 Key Usage: critical Digital Signature, Key Encipherment, Data Encipherment Signature Algorithm: sha256WithRSAEncryption 7b:51:1d:07:91:8d:7e:6c:bf:aa:f1:0e:61:ae:a3:02:e4:cd: e5:c2:98:36:39:83:f5:b6:47:80:ed:12:56:3c:f3:ad:e6:a2: b5:01:26:85:75:4f:2a:7d:9e:b6:98:87:5d:54:64:49:72:c0: 8d:8f:f2:fa:41:a4:bb:fe:74:15:58:d7:86:c2:49:da:43:8b: 85:93:26:b0:e2:57:8f:63:6f:92:63:8d:0f:eb:b4:ba:11:97: 37:e7:04:30:73:d0:1c:db:b1:45:2b:11:60:45:d7:b2:5e:b3: e2:61:43:7b:e6:2b:4d:d3:ea:b6:ee:a9:e7:0b:40:2d:f4:7d: 20:de:e1:dd:14:4f:39:35:3c:02:2e:50:d1:23:46:5e:5e:5a: 48:d6:95:2f:b6:1b:15:81:b5:90:c1:10:76:0c:50:09:33:88: a8:e7:6d:84:6f:c1:de:0f:a3:69:ec:19:db:be:c9:49:d9:30: e7:67:b5:9b:d3:86:2b:4d:e7:b3:00:fc:af:12:b4:86:3b:55: 53:67:e0:36:1e:c8:bd:14:65:be:8f:56:3c:90:e4:48:8f:c3: 19:29:73:13:b9:f9:7b:3b:73:e4:34:c4:0f:b5:88:b1:8c:c0: 6b:2a:70:36:44:c0:b2:d5:2a:be:e2:92:50:42:78:0e:52:fc: 7c:1b:d5:fd
Tip
|
To find a page in the Wiki, enter the keywords in search field, press Enter, then click Wikis. |