Skip to content

PKI NSS Certificate Extensions

Jump to bottom
Endi S. Dewata edited this page May 12, 2022 · 19 revisions

Overview

This page describes how to specify the extensions when creating a certificate or a certificate request using PKI NSS Certificate CLI.

The format is similar to OpenSSL x509v3_config.

Examples are available in /usr/share/pki/server/certs:

Basic Constraints

basicConstraints       = critical, CA:FALSE

Key Usage

keyUsage               = critical, digitalSignature, keyEncipherment

Extended Key Usage

extendedKeyUsage       = serverAuth, clientAuth

Subject Key Identifier

subjectKeyIdentifier   = hash

Authority Key Identifier

authorityKeyIdentifier = keyid:always

Authority Info Access

authorityInfoAccess    = OCSP;URI:http://ocsp.example.com, caIssuers;URI:http://cert.example.com

Certificate Policies

certificatePolicies    = 2.23.140.1.2.1, @cps_policy

cps_policy.id          = 1.3.6.1.4.1.44947.1.1.1
cps_policy.CPS.1       = http://cps.example.com

See Also

Tip
 To find a page in the Wiki, enter the keywords in search field, press Enter, then click Wikis.
Clone this wiki locally