Skip to content

Instantly share code, notes, and snippets.

@amolkahat amolkahat/ca_with_nss.sh
Last active Sep 3, 2018

Embed
What would you like to do?
Generating CA certificate and Server certificate with nss.
# cat ca_with_nss.sh
mkdir -p /root/nssdb
echo "SECret.123" > /root/nssdb/password.txt
certutil -N -d /root/nssdb -f /root/nssdb/password.txt
openssl rand -out /root/nssdb/noise.bin 2048
SKID="0x`openssl rand -hex 20`"
OCSP="http://$HOSTNAME:8080/ca/ocsp"
echo -e "y\n\ny\ny\n${SKID}\n\n\n\n${SKID}\n\n2\n7\n${OCSP}\n\n\n\n" | \
certutil -S \
-x \
-d /root/nssdb \
-f /root/nssdb/password.txt \
-z /root/nssdb/noise.bin \
-n "CA Signing Certificate" \
-s "CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE" \
-t "CT,C,C" \
-m $RANDOM \
-k rsa \
-g 2048 \
-Z SHA256 \
-2 \
-3 \
--keyUsage critical,certSigning,crlSigning,digitalSignature,nonRepudiation \
--extAIA \
--extSKID
openssl rand -out /root/nssdb/noise.bin 2048
certutil -R \
-d /root/nssdb \
-f /root/nssdb/password.txt \
-z /root/nssdb/noise.bin \
-k rsa \
-g 2048 \
-Z SHA256 \
-s "CN=$HOSTNAME,O=RedHat" \
--extSAN dns:www.$HOSTNAME,dns:www.$HOSTNAME \
--keyUsage critical,dataEncipherment,keyEncipherment,digitalSignature,nonRepudiation \
--extKeyUsage serverAuth \
-o /root/nssdb/sslserver.csr.der
openssl req -inform der -in /root/nssdb/sslserver.csr.der -out /root/nssdb/sslserver.csr
echo -e "y\n\ny\ny\n${SKID}\n\n\n\n${SKID}\n\n2\n7\n${OCSP}\n\n\n\n" | \
certutil -C \
-x \
-d /root/nssdb \
-f /root/nssdb/password.txt \
-m $RANDOM \
-a \
-i /root/nssdb/sslserver.csr \
-o /root/nssdb/sslserver.pem \
-2 \
-3 \
--keyUsage critical,certSigning,crlSigning,digitalSignature,nonRepudiation \
--extAIA \
--extSKID
certutil -A -d /root/nssdb \
-n "server cert" -i /root/nssdb/sslserver.pem \
-t 'u,u,u' -f /root/nssdb/password.txt
certutil -L -d /root/nssdb -n "CA Signing Certificate" -a \
-o /root/nssdb/ca_cert.pem
pk12util -o /root/nssdb/server_cert.p12 -n "server cert" -d /root/nssdb/ \
-w /root/nssdb/password.txt -k /root/nssdb/password.txt
openssl pkcs12 -in /root/nssdb/server_cert.p12 -nocerts -out /root/nssdb/server_key.key \
-nodes --passin "pass:SECret.123" -passout "pass:SECret.123"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.