-
Notifications
You must be signed in to change notification settings - Fork 137
PKI NSS Certificate Extensions
Warning
|
This functionality is still under development and may change in the future. |
This page describes how to create the extension configuration for creating a certificate or a certificate request using PKI NSS Certificate CLI.
The extension configuration is similar to OpenSSL’s extension configuration, but pki nss-cert
's extension configuration uses Java Properties format whereas OpenSSL’s extension configuration uses INI format. See OpenSSL x509v3_config for details.
Examples are available in /usr/share/pki/server/certs:
The Basic Constraints extension can be specified in the basicConstraints
property, for example:
basicConstraints = critical, CA:FALSE
Supported extension values:
-
critical
-
CA:<boolean>
-
pathlen:<integer>
The Key Usage extension can be specified in the keyUsage
property, for example:
keyUsage = critical, digitalSignature, keyEncipherment
Supported extension values:
-
critical
-
digitalSignature
-
nonRepudiation
-
keyEncipherment
-
dataEncipherment
-
keyAgreement
-
keyCertSign
-
cRLSign
-
encipherOnly
-
decipherOnly
The Extended Key Usage extension can be specified in the extendedKeyUsage
property, for example:
extendedKeyUsage = serverAuth, clientAuth
Supported extension values:
-
critical
-
serverAuth
-
clientAuth
-
emailProtection
-
OCSPSigning
The Subject Key Identifier extension can be specified in the subjectKeyIdentifier
property.
To generate the extension with the first method defined in RFC 5280 Section 4.2.1.2:
subjectKeyIdentifier = hash
To generate the extension with the specified identifier:
subjectKeyIdentifier = <hex>:<hex>:...:<hex>
Supported extension values:
-
critical
-
hash
-
<hex>:<hex>:…:<hex>
The Authority Key Identifier extension can be specified in the authorityKeyIdentifier
property, for example:
authorityKeyIdentifier = keyid:always
Supported extension values:
-
keyid
-
keyid:always
The Authority Info Access extension can be specified in the authorityInfoAccess
property, for example:
authorityInfoAccess = OCSP;URI:http://ocsp.example.com, caIssuers;URI:http://cert.example.com
Supported extension values:
-
caIssuers;URI:<URI>
-
OCSP;URI:<URI>
The Certificate Policies extension can be specified in the certificatePolicies
property, for example:
certificatePolicies = 2.23.140.1.2.1, @cps_policy cps_policy.id = 1.3.6.1.4.1.44947.1.1.1 cps_policy.CPS.1 = http://cps.example.com
Supported extension values:
-
<OID>
-
@<policy>
Each policy can be specified in separate properties:
-
<policy>.id
-
<policy>.CPS.<id>
The OCSP No Check extension can be specified in the noCheck
property, for example:
noCheck = ignored
Supported extension values:
-
ignored
The Subject Alternative Name extension can be specified in the subjectAltName
property, for example:
subjectAltName = DNS:request_subject_cn, DNS:request_san_ext
Supported extension values:
-
DNS:request_subject_cn
-
DNS:request_san_ext
-
critical
(since PKI 11.5) -
DNS:<hostname>
(since PKI 11.5)
Generic extensions can be specified in the genericExtensions
property, for example:
genericExtensions = 1.3.6.1.4.1.311.20.2 1.3.6.1.4.1.311.20.2 = DER:1E:0A:00:53:00:75:00:62:00:43:00:41
Supported extension values:
-
<OID>
Each generic extension can be specified in a <OID>
property which supports the following values:
-
critical
-
DER:<hex>:<hex>:…:<hex>
Tip
|
To find a page in the Wiki, enter the keywords in search field, press Enter, then click Wikis. |