This procedure is used to sign a PKCS #10 certificate signing request (CSR). The CSR can be in PEM or DER format. The signing process issues an X.509 v3 certificate. To generate a PKCS #10 CSR, see the pktool (1) man page.
Before You Begin
This procedure assumes that you are a certificate authority (CA), you have received a CSR, and it is stored in a file.
If you have stored the signer's key in a PKCS #11 keystore, signkey is the label that retrieves this private key.
If you have stored the signer's key in an NSS keystore or a file keystore, signkey is the file name that holds this private key.
Specifies the file name of the CSR.
Specifies the serial number of the signed certificate.
Specifies the file name for the signed certificate.
Specifies your CA issuer name in distinguished name (DN) format.
For information about optional arguments to the signcsr subcommand, see the pktool (1) man page.
For example, the following command signs the certificate with the signer's key from the PKCS #11 repository:
# pktool signcsr signkey=CASigningKey \ csr=fromExampleCoCSR \ serial=0x12345678 \ outcert=ExampleCoCert2010 \ issuer="O=Oracle Corporation, \ OU=Oracle Solaris Security Technology, L=Redwood City, ST=CA, C=US, \ CN=rootsign Oracle"
The following command signs the certificate with the signer's key from a file:
# pktool signcsr signkey=CASigningKey \ csr=fromExampleCoCSR \ serial=0x12345678 \ outcert=ExampleCoCert2010 \ issuer="O=Oracle Corporation, \ OU=Oracle Solaris Security Technology, L=Redwood City, ST=CA, C=US, \ CN=rootsign Oracle"
You can use email, a web site, or another mechanism to deliver the certificate to the requester.
For example, you could use email to send the ExampleCoCert2010 file to the requester.