Skip to content

Generating Subsystem CSR with NSS

Endi S. Dewata edited this page Oct 28, 2020 · 2 revisions

Generating CSR

$ certutil -R \
   -d nssdb \
   -f password.txt \
   -z noise.bin \
   -s "CN=Subsystem Certificate,OU=pki-tomcat,O=EXAMPLE" \
   -o subsystem.csr.der \
   -k rsa \
   -g 2048 \
   -Z SHA256 \
   --keyUsage critical,dataEncipherment,keyEncipherment,digitalSignature,nonRepudiation \
   --extKeyUsage clientAuth,serverAuth
$ openssl req -inform der -in subsystem.csr.der -out subsystem.csr

Restoring CSR

If the CSR is missing, it can be restored from the existing certificate and key with the following commands:

$ certutil -R \
   -d nssdb \
   -f password.txt \
   -z noise.bin \
   -s "CN=Subsystem Certificate,OU=pki-tomcat,O=EXAMPLE" \
   -o subsystem.csr.der \
   -k "subsystem" \
   -g 2048 \
   -Z SHA256 \
   --keyUsage critical,dataEncipherment,keyEncipherment,digitalSignature,nonRepudiation \
   --extKeyUsage clientAuth,serverAuth
$ openssl req -inform der -in subsystem.csr.der -out subsystem.csr

Verification

$ openssl req -text -noout -in subsystem.csr
Certificate Request:
    Data:
        Version: 1 (0x0)
        Subject: O = EXAMPLE, OU = pki-tomcat, CN = Subsystem Certificate
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:c1:ba:19:e0:63:14:8d:e8:e1:7f:29:ee:d9:c9:
                    03:49:55:16:e3:ca:35:01:a7:ab:bb:d8:80:3a:28:
                    2a:c4:df:12:af:63:83:4e:7d:13:a4:f7:10:8e:9a:
                    e3:a5:da:4d:a9:a0:67:f4:72:11:fb:dd:22:36:2c:
                    75:10:5b:8b:6b:8d:c0:d4:ea:49:cf:ed:a6:8e:3e:
                    ea:ae:80:13:b5:44:d3:b9:ab:17:48:6c:fc:f8:96:
                    08:5d:3b:1b:1b:d0:8d:f5:b6:82:1f:06:63:4f:29:
                    86:53:84:6a:06:79:2b:58:91:7b:d7:9e:3d:23:79:
                    e8:82:02:8d:58:66:b0:98:de:fa:53:6a:3a:c7:de:
                    33:e5:dd:24:e1:37:79:09:16:eb:ff:f8:05:58:6a:
                    6b:31:25:20:9f:74:13:29:5f:bc:74:ee:df:3f:aa:
                    08:04:6f:33:f6:b8:f0:1c:33:56:57:91:24:d7:6b:
                    1e:a2:b0:4e:ca:29:33:1f:86:e6:b3:84:0b:44:b5:
                    1e:1e:5d:a0:49:50:ed:1d:e7:59:68:6e:10:f6:65:
                    6e:08:cf:d2:e2:f4:3f:fc:2d:9b:14:51:b9:9f:e1:
                    90:d0:0d:db:a2:28:ea:2c:5d:5f:3c:43:79:26:4e:
                    e2:a2:da:f3:97:f7:73:68:da:48:72:72:b9:64:d8:
                    1a:e9
                Exponent: 65537 (0x10001)
        Attributes:
        Requested Extensions:
            X509v3 Extended Key Usage:
                TLS Web Client Authentication, TLS Web Server Authentication
            X509v3 Key Usage: critical
                Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment
    Signature Algorithm: sha256WithRSAEncryption
         1d:22:6e:67:c6:95:e5:7a:29:df:27:1e:da:50:3b:e3:09:7a:
         9d:0f:26:db:04:20:24:08:7a:1e:9c:43:bd:26:29:c3:08:68:
         56:28:03:16:4c:8b:1a:9b:d9:79:7e:a9:74:65:07:56:b5:15:
         b5:cd:47:df:1d:6e:be:9f:9f:73:40:e7:fa:1d:7c:65:c6:f0:
         b4:4f:c5:c5:5f:25:0f:68:05:05:76:b7:4d:9e:11:fd:bc:57:
         32:36:7e:d8:44:aa:a9:69:fe:7a:5a:11:b2:d6:63:c5:b0:e8:
         32:57:f1:44:c9:05:6e:3a:ec:0c:62:1e:b1:ad:4b:ef:0a:d6:
         ba:fc:93:48:80:6f:10:f5:87:2a:9b:db:d2:87:15:ee:7b:0b:
         b5:02:24:53:cc:af:43:1e:37:ac:01:a5:40:0b:5b:ad:ee:a5:
         ca:0c:bd:9f:a0:fa:91:d1:5d:ea:de:90:2e:f3:b3:6e:74:80:
         d1:7c:c9:17:c1:f6:7d:b3:d3:c8:76:01:23:d5:50:66:a8:96:
         29:a0:1f:d0:f4:29:97:3a:5b:7a:c0:6f:63:d1:36:db:ea:db:
         a0:0d:09:7d:ed:4e:22:d7:6c:a3:e4:bd:ab:57:76:59:98:1f:
         52:0b:59:04:6f:02:05:c6:f9:42:dc:cc:95:ce:a0:42:80:ec:
         e3:2f:71:63

See Also

Clone this wiki locally