Skip to content

Generating KRA Transport CSR with NSS

Endi S. Dewata edited this page Oct 28, 2020 · 3 revisions

Generating CSR

$ certutil -R \
   -d nssdb \
   -f password.txt \
   -z noise.bin \
   -s "CN=DRM Transport Certificate,OU=pki-tomcat,O=EXAMPLE" \
   -o kra_transport.csr.der \
   -k rsa \
   -g 2048 \
   -Z SHA256 \
   --keyUsage critical,dataEncipherment,keyEncipherment,digitalSignature,nonRepudiation \
   --extKeyUsage clientAuth
$ openssl req -inform der -in kra_transport.csr.der -out kra_transport.csr

Restoring CSR

If the CSR is missing, it can be restored from the existing certificate and key with the following commands:

$ certutil -R \
   -d nssdb \
   -f password.txt \
   -z noise.bin \
   -s "CN=DRM Transport Certificate,OU=pki-tomcat,O=EXAMPLE" \
   -o kra_transport.csr.der \
   -k "kra_transport" \
   -g 2048 \
   -Z SHA256 \
   --keyUsage critical,dataEncipherment,keyEncipherment,digitalSignature,nonRepudiation \
   --extKeyUsage clientAuth
$ openssl req -inform der -in kra_transport.csr.der -out kra_transport.csr

Verification

$ openssl req -text -noout -in kra_transport.csr
Certificate Request:
    Data:
        Version: 1 (0x0)
        Subject: O = EXAMPLE, OU = pki-tomcat, CN = DRM Transport Certificate
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:aa:02:75:c8:c5:0d:59:2a:2c:c9:cc:0f:c2:e9:
                    90:1c:b3:95:5e:e8:f0:c8:c5:e7:71:c5:fe:f3:4a:
                    cf:94:db:ce:3e:36:ee:98:f3:c3:bf:cf:1d:95:b5:
                    88:4f:95:0f:2f:29:71:be:e7:2b:f4:f5:cc:46:58:
                    42:ed:b3:f0:bc:b1:47:c0:32:53:fc:52:61:96:8b:
                    60:ef:60:fe:a2:8d:cd:94:bd:07:93:0f:a5:c4:e5:
                    45:1f:f4:72:c0:c6:44:b5:19:70:f5:7b:ed:73:cf:
                    21:74:dd:90:c7:59:0c:c7:84:da:68:2a:3b:9a:8a:
                    67:ee:88:f6:1c:d2:ae:7a:cd:e0:02:1a:c7:c9:69:
                    71:ce:b1:1e:9d:3d:59:2d:04:2a:8f:e4:ca:42:f2:
                    47:af:dd:d5:52:9a:67:85:9a:b1:fc:c5:a3:c9:4b:
                    89:57:ad:1d:5d:2b:6f:47:97:21:84:1c:51:d4:56:
                    b2:99:ce:d6:a6:ac:8c:b4:74:18:c0:cf:aa:c2:ff:
                    d6:44:dd:76:56:ac:7c:fd:79:9c:1f:72:f1:04:78:
                    c6:9b:c5:25:5a:dd:39:db:e5:22:db:95:43:ce:b3:
                    ae:1c:1c:c9:ef:09:cf:e9:db:60:b8:d2:02:7f:b4:
                    73:e6:c2:4a:4e:68:59:3f:b1:2a:2b:b5:65:6c:d6:
                    19:85
                Exponent: 65537 (0x10001)
        Attributes:
        Requested Extensions:
            X509v3 Extended Key Usage:
                TLS Web Client Authentication
            X509v3 Key Usage: critical
                Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment
    Signature Algorithm: sha256WithRSAEncryption
         8c:2a:2b:fe:70:61:c8:2c:a6:44:46:81:18:16:6b:fd:3e:fe:
         89:9c:c6:f4:dd:ab:3e:ed:96:22:ee:54:2d:fa:86:84:9f:b1:
         c8:f5:18:9a:f6:4e:00:9a:8f:b1:15:f4:71:4f:35:3a:62:db:
         91:53:e8:35:cb:53:ea:16:9a:45:9b:0a:fd:e0:d8:39:5b:bf:
         60:62:1e:76:b9:85:87:9f:dc:47:5d:a9:d8:52:b6:2d:72:b3:
         ca:a4:44:bc:0f:c4:99:27:01:4d:d8:08:0b:eb:2a:5b:e6:90:
         71:1a:b3:4f:fe:c0:a7:d1:1e:9b:52:7d:9a:8e:8c:0f:16:eb:
         e1:ff:38:ed:de:dc:cd:1e:45:9c:13:45:5c:43:8e:5b:fa:c5:
         f4:4a:f3:1d:66:76:bc:4a:8d:86:a9:cd:ef:f0:03:ee:9d:44:
         02:2e:47:b1:a0:5f:31:2d:0b:e7:15:45:f9:4d:e9:88:77:38:
         ab:62:d1:9e:66:98:17:f3:39:ed:10:db:06:57:f5:f0:df:18:
         7e:b5:17:ed:fc:de:ef:5a:df:72:2c:44:76:95:05:9a:e3:fe:
         0b:af:9a:e9:6f:30:4f:f5:2d:75:24:75:03:fd:6e:1b:59:93:
         cf:ae:a6:46:3e:ba:ac:59:7d:1d:cc:0f:c8:b1:70:55:1f:c8:
         3e:02:a8:64

See Also

Clone this wiki locally