-
Notifications
You must be signed in to change notification settings - Fork 133
Issuing OCSP Signing Certificate with NSS
Endi S. Dewata edited this page Oct 28, 2020
·
2 revisions
This page describes the process to sign the OCSP signing CSR and issue the certificate using NSS.
This page assumes an NSS database has been created as follows:
$ echo Secret.123 > password.txt $ openssl rand -out noise.bin 2048 $ mkdir nssdb $ certutil -N -d nssdb -f password.txt
It also assumes a CA signing certificate is present in the NSS database.
Sign the CSR with the CA signing certificate with the following commands:
$ CA_SKID=...
$ OCSP=...
$ echo -e "y\n\ny\ny\n${CA_SKID}\n\n\n\n2\n7\n${OCSP}\n\n\n\n" | \
certutil -C \
-d nssdb \
-f password.txt \
-m $RANDOM \
-a \
-i ocsp_signing.csr \
-o ocsp_signing.crt \
-c "ca_signing" \
-3 \
--extAIA \
--extKeyUsage ocspResponder \
--extGeneric 1.3.6.1.5.5.7.48.1.5:not-critical:/dev/null
It will generate the OCSP signing certificate in ocsp_signing.crt.
|
Tip
|
To find a page in the Wiki, enter the keywords in search field, press Enter, then click Wikis. |