Skip to content

PKI NSS Certificate Extensions

Jump to bottom
Endi S. Dewata edited this page May 12, 2022 · 19 revisions

Overview

This page describes how to specify the extensions when creating a certificate or a certificate request using PKI NSS Certificate CLI.

The format is similar to OpenSSL x509v3_config.

Examples are available in /usr/share/pki/server/certs:

Basic Constraints

The Basic Constraints extension can be specified in the basicConstraints property, for example:

basicConstraints       = critical, CA:FALSE

Supported extension values:

  • critical

  • CA:<boolean>

  • pathlen:<integer>

Key Usage

The Key Usage extension can be specified in the keyUsage property, for example:

keyUsage               = critical, digitalSignature, keyEncipherment

Supported extension values:

  • critical

  • digitalSignature

  • nonRepudiation

  • keyEncipherment

  • dataEncipherment

  • keyAgreement

  • keyCertSign

  • cRLSign

  • encipherOnly

  • decipherOnly

Extended Key Usage

The Extended Key Usage extension can be specified in the extendedKeyUsage property, for example:

extendedKeyUsage       = serverAuth, clientAuth

Supported extension values:

  • critical

  • serverAuth

  • clientAuth

  • emailProtection

  • OCSPSigning

Subject Key Identifier

The Subject Key Identifier extension can be specified in the subjectKeyIdentifier property, for example:

subjectKeyIdentifier   = hash

Supported extension values:

  • hash

Authority Key Identifier

The Authority Key Identifier extension can be specified in the authorityKeyIdentifier property, for example:

authorityKeyIdentifier = keyid:always

Supported extension values:

  • keyid

  • keyid:always

Authority Info Access

The Authority Info Access extension can be specified in the authorityInfoAccess property, for example:

authorityInfoAccess    = OCSP;URI:http://ocsp.example.com, caIssuers;URI:http://cert.example.com

Supported extension values:

  • caIssuers;URI:<URI>

  • OCSP;URI:<URI>

Certificate Policies

The Certificate Policies extension can be specified in the certificatePolicies property, for example:

certificatePolicies    = 2.23.140.1.2.1, @cps_policy

cps_policy.id          = 1.3.6.1.4.1.44947.1.1.1
cps_policy.CPS.1       = http://cps.example.com

Supported extension values:

  • <OID>

  • @<policy>

Each policy can be specified in separate properties:

  • <policy>.id

  • <policy>.CPS.<id>

OCSP No Check

The OCSP No Check extension can be specified in the noCheck property, for example:

noCheck                = ignored

Supported extension values:

  • ignored

Subject Alternative Name

The Subject Alternative Name extension can be specified in the subjectAltName property, for example:

subjectAltName         = DNS:request_subject_cn, DNS:request_san_ext

Supported extension values:

  • DNS:request_subject_cn

  • DNS:request_san_ext

See Also

Tip
 To find a page in the Wiki, enter the keywords in search field, press Enter, then click Wikis.
Clone this wiki locally