-
Notifications
You must be signed in to change notification settings - Fork 137
Generating OCSP Signing CSR with NSS
Endi S. Dewata edited this page Oct 28, 2020
·
2 revisions
$ certutil -R \ -d nssdb \ -f password.txt \ -z noise.bin \ -s "CN=OCSP Signing Certificate,OU=pki-tomcat,O=EXAMPLE" \ -o ocsp_signing.csr.der \ -k rsa \ -g 2048 \ -Z SHA256
If necessary, extensions can be added as follows:
$ certutil -R \ ... \ --extKeyUsage ocspResponder \ --extGeneric 1.3.6.1.5.5.7.48.1.5:not-critical:/dev/null
Convert the CSR to PEM as follows:
$ openssl req -inform der -in ocsp_signing.csr.der -out ocsp_signing.csr
If the CSR is missing, it can be restored from the existing certificate and key with the following commands:
$ certutil -R \ -d nssdb \ -f password.txt \ -z noise.bin \ -s "CN=OCSP Signing Certificate,OU=pki-tomcat,O=EXAMPLE" \ -o ocsp_signing.csr.der \ -k "ocsp_signing" \ -g 2048 \ -Z SHA256
If necessary, extensions can be added as follows:
$ certutil -R \ ... \ --extKeyUsage ocspResponder \ --extGeneric 1.3.6.1.5.5.7.48.1.5:not-critical:/dev/null
Convert the CSR to PEM as follows:
$ openssl req -inform der -in ocsp_signing.csr.der -out ocsp_signing.csr
$ openssl req -text -noout -in ocsp_signing.csr
Certificate Request:
Data:
Version: 1 (0x0)
Subject: O = EXAMPLE, OU = pki-tomcat, CN = OCSP Signing Certificate
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:b2:96:ca:c7:58:98:db:1d:ce:62:bb:7c:19:f9:
ff:40:77:f4:bd:96:9b:83:0b:62:b9:1d:68:8c:9d:
da:59:e4:ff:a8:c4:99:e5:da:72:8d:f8:6e:e3:e9:
09:88:97:47:f7:f9:70:06:b5:a5:f1:eb:d0:a0:f1:
29:8b:3e:8f:09:82:9b:54:f8:ae:5b:17:e1:c4:e2:
92:4e:4c:21:88:9b:2e:f7:4f:5e:3b:26:ac:d8:87:
b7:02:05:fa:68:41:d8:5e:0d:64:a9:a5:9d:50:6f:
1f:7b:20:ae:10:24:69:84:7a:17:39:82:e8:1e:83:
85:4e:11:1f:1b:c4:8e:11:b8:3e:89:87:fc:f5:50:
95:f5:6b:25:40:81:42:ac:af:0d:72:1d:7b:e4:51:
c7:4e:72:2d:3a:ec:a1:d3:79:3a:41:7b:8f:e2:4f:
d6:60:9f:da:30:97:f5:b2:38:9f:9e:5c:76:3d:ff:
b1:6f:54:ea:46:75:11:4e:10:4d:f2:8c:e4:00:4e:
73:9c:1a:f9:9c:cd:08:d0:73:0a:06:a3:48:92:39:
f6:cc:55:ec:60:fd:a4:b8:4a:90:1b:36:b3:b9:0d:
83:1a:57:72:eb:f7:f1:9c:95:e6:d6:e8:9e:88:44:
0c:e2:65:26:ac:af:46:41:9a:b6:fb:ad:be:3e:40:
ce:b9
Exponent: 65537 (0x10001)
Attributes:
a0:00
Signature Algorithm: sha256WithRSAEncryption
05:e1:15:f1:9c:4d:29:1f:d2:1b:d2:45:45:fb:13:d9:ed:c0:
b2:31:5a:23:be:e9:cc:da:ea:00:23:5f:ae:69:aa:32:d8:d8:
a1:53:c9:b5:d7:68:1c:70:eb:db:a8:e9:37:cb:dd:8e:75:ad:
6c:3d:ae:4f:2a:e8:4f:3b:0a:81:06:8d:6a:64:bc:67:04:b2:
fe:cf:6d:67:c9:38:d8:46:bf:e9:4a:ed:c3:b8:ca:ca:54:f9:
0d:2a:6a:92:21:fb:e7:f3:61:9a:3e:54:eb:22:82:05:57:e6:
60:76:78:35:f5:3a:70:c5:25:e1:d7:fe:f9:70:2b:78:12:78:
b5:f0:d0:c4:84:89:ea:a3:31:ea:50:a8:c2:9c:89:c6:ed:be:
e6:8e:4f:6c:14:df:5d:ff:2a:c8:e4:54:db:b0:9f:8c:90:89:
81:3f:b8:c5:ef:c0:6f:df:28:6b:52:e2:2d:90:a0:3e:1a:2b:
73:03:d8:b9:3c:a7:de:02:52:f3:af:09:d0:b4:b1:28:4a:88:
0c:9e:8d:3b:67:88:ae:76:a0:88:78:b4:9b:05:5e:38:86:55:
b3:da:b1:18:e5:2c:9c:ef:c3:f5:e5:1e:ab:fa:ff:c9:b8:c0:
b4:5f:75:40:15:86:72:16:52:5d:5a:a4:a3:5f:55:85:71:1e:
8b:20:a0:63
|
Tip
|
To find a page in the Wiki, enter the keywords in search field, press Enter, then click Wikis. |