Skip to content

PKI NSS Certificate Extensions

Jump to bottom
Endi S. Dewata edited this page May 12, 2022 · 19 revisions

Overview

This page describes how to specify the extensions when creating a certificate or a certificate request using PKI NSS Certificate CLI.

For details see OpenSSL x509v3_config.

Examples are available in /usr/share/pki/server/certs:

Basic Constraints Extension

The Basic Constraints extension can be specified in the basicConstraints property, for example:

basicConstraints       = critical, CA:FALSE

Supported extension values:

  • critical

  • CA:<boolean>

  • pathlen:<integer>

Key Usage Extension

The Key Usage extension can be specified in the keyUsage property, for example:

keyUsage               = critical, digitalSignature, keyEncipherment

Supported extension values:

  • critical

  • digitalSignature

  • nonRepudiation

  • keyEncipherment

  • dataEncipherment

  • keyAgreement

  • keyCertSign

  • cRLSign

  • encipherOnly

  • decipherOnly

Extended Key Usage Extension

The Extended Key Usage extension can be specified in the extendedKeyUsage property, for example:

extendedKeyUsage       = serverAuth, clientAuth

Supported extension values:

  • critical

  • serverAuth

  • clientAuth

  • emailProtection

  • OCSPSigning

Subject Key Identifier Extension

The Subject Key Identifier extension can be specified in the subjectKeyIdentifier property, for example:

subjectKeyIdentifier   = hash

Supported extension values:

  • hash

Authority Key Identifier Extension

The Authority Key Identifier extension can be specified in the authorityKeyIdentifier property, for example:

authorityKeyIdentifier = keyid:always

Supported extension values:

  • keyid

  • keyid:always

Authority Info Access Extension

The Authority Info Access extension can be specified in the authorityInfoAccess property, for example:

authorityInfoAccess    = OCSP;URI:http://ocsp.example.com, caIssuers;URI:http://cert.example.com

Supported extension values:

  • caIssuers;URI:<URI>

  • OCSP;URI:<URI>

Certificate Policies Extension

The Certificate Policies extension can be specified in the certificatePolicies property, for example:

certificatePolicies    = 2.23.140.1.2.1, @cps_policy
cps_policy.id          = 1.3.6.1.4.1.44947.1.1.1
cps_policy.CPS.1       = http://cps.example.com

Supported extension values:

  • <OID>

  • @<policy>

Each policy can be specified in separate properties:

  • <policy>.id

  • <policy>.CPS.<id>

OCSP No Check Extension

The OCSP No Check extension can be specified in the noCheck property, for example:

noCheck                = ignored

Supported extension values:

  • ignored

Subject Alternative Name Extension

The Subject Alternative Name extension can be specified in the subjectAltName property, for example:

subjectAltName         = DNS:request_subject_cn, DNS:request_san_ext

Supported extension values:

  • DNS:request_subject_cn

  • DNS:request_san_ext

Generic Extensions

Generic extensions can be specified in the genericExtensions property, for example:

genericExtensions      = 1.3.6.1.4.1.311.20.2
1.3.6.1.4.1.311.20.2   = DER:1E:0A:00:53:00:75:00:62:00:43:00:41

Supported extension values:

  • <OID>

Each generic extension can be specified in a <OID> property which supports the following values:

  • critical

  • DER:<byte>:<byte>:…​:<<byte>

See Also

Tip
 To find a page in the Wiki, enter the keywords in search field, press Enter, then click Wikis.
Clone this wiki locally