Red Hat CERTIFICATE SYSTEM 7.3 - ADMINISTRATION Administration Manual page 266

Chapter 11. Managing Certificates
1. Open the certificate database directory of the instance for which the certificate is being requested.
cd /var/lib/instance_ID/alias
2. Run the certutil command, defining the key settings, subject name, validity period, and
extentions.
certutil -R -k rsa -g 2048 -s "CN=example cert server.example.com,O=Example Domain" -o
request.cert -v 12 -d . -1 -3 -6
The required options are listed in
Option
R
k
g
s
o
v
d
numbers 1-8
a
Table 11.3. Options for Requesting Certificates with certutil
Once the request is generated, submit the certificate request in the output file to the issuing CA
through the CA's enrollment forms.
For information about using the certutil command, see
nss/tools/certutil.html.
244
Table 11.3, "Options for Requesting Certificates with
Description
Flag to generate a certificate request.
The key type to use; the only option is rsa.
The key size. The recommended size for RSA
keys is 2048.
The subject name of the certificate.
The output file to which to save the certificate
request.
The validity period, in months.
Certificate database directory; this is the
directory for the subsystem instance.
These set the available certificate extensions.
Only eight can be specified through the
certutil tool:
• Key Usage: 1
• Basic Constraints: 2
• Certificate Authority Key ID: 3
• CRL Distribution Point: 4
• Netscape Certificate Type: 5
• Extended Key Usage: 6
• Email Subject Alternative Name: 7
• DNS Subject Alternative Name: 8
Outputs the certificate request to an ASCII file
instead of binary.
http://www.mozilla.org/projects/security/pki/
certutil".