Exporting CA System Certificates

Overview

This page describes the process to export CA system certificates, the keys, and the CSRs.

Exporting Certificate Chain

To export the certificate chain into a certificate bundle:

$ pki \
    -d /var/lib/pki/pki-tomcat/conf/alias \
    -f /var/lib/pki/pki-tomcat/conf/password.conf \
    nss-cert-export \
    --output-file cert_chain.pem \
    --with-chain \
    ca_signing

To export the certificate chain into a PKCS #7 file:

$ pki \
    -d /var/lib/pki/pki-tomcat/conf/alias \
    -f /var/lib/pki/pki-tomcat/conf/password.conf \
    pkcs7-export \
    --pkcs7 cert_chain.p7b \
    ca_signing

Exporting System Certificates and Keys

To export the system certificates without their keys into separate files execute the following commands:

$ pki-server cert-export ca_signing --cert-file ca_signing.crt
$ pki-server cert-export ca_ocsp_signing --cert-file ca_ocsp_signing.crt
$ pki-server cert-export ca_audit_signing --cert-file ca_audit_signing.crt
$ pki-server cert-export subsystem --cert-file subsystem.crt
$ pki-server cert-export sslserver --cert-file sslserver.crt

To export the system certificates with their keys into a PKCS #12 file execute the following command:

$ pki \
    -d /var/lib/pki/pki-tomcat/conf/alias \
    -f /var/lib/pki/pki-tomcat/conf/password.conf \
    pkcs12-export \
    --pkcs12 ca-certs.p12 \
    --password Secret.123 \
    ca_signing \
    ca_ocsp_signing \
    ca_audit_signing \
    subsystem \
    sslserver

Exporting System CSRs

In PKI 11.5 or later the system CSRs can be obtained directly from the /var/lib/pki/pki-tomcat/conf/certs folder:

ca_signing.csr
ca_ocsp_signing.csr
ca_audit_signing.csr
subsystem.csr
sslserver.csr

In older PKI versions the system CSRs need to be exported with the following commands:

$ echo "-----BEGIN CERTIFICATE REQUEST-----" > ca_signing.csr
$ sed -n "/^ca.signing.certreq=/ s/^[^=]*=// p" < /var/lib/pki/pki-tomcat/conf/ca/CS.cfg >> ca_signing.csr
$ echo "-----END CERTIFICATE REQUEST-----" >> ca_signing.csr

$ echo "-----BEGIN CERTIFICATE REQUEST-----" > ca_ocsp_signing.csr
$ sed -n "/^ca.ocsp_signing.certreq=/ s/^[^=]*=// p" < /var/lib/pki/pki-tomcat/conf/ca/CS.cfg >> ca_ocsp_signing.csr
$ echo "-----END CERTIFICATE REQUEST-----" >> ca_ocsp_signing.csr

$ echo "-----BEGIN CERTIFICATE REQUEST-----" > ca_audit_signing.csr
$ sed -n "/^ca.audit_signing.certreq=/ s/^[^=]*=// p" < /var/lib/pki/pki-tomcat/conf/ca/CS.cfg >> ca_audit_signing.csr
$ echo "-----END CERTIFICATE REQUEST-----" >> ca_audit_signing.csr

$ echo "-----BEGIN CERTIFICATE REQUEST-----" > subsystem.csr
$ sed -n "/^ca.subsystem.certreq=/ s/^[^=]*=// p" < /var/lib/pki/pki-tomcat/conf/kra/CS.cfg >> subsystem.csr
$ echo "-----END CERTIFICATE REQUEST-----" >> subsystem.csr

$ echo "-----BEGIN CERTIFICATE REQUEST-----" > sslserver.csr
$ sed -n "/^ca.sslserver.certreq=/ s/^[^=]*=// p" < /var/lib/pki/pki-tomcat/conf/kra/CS.cfg >> sslserver.csr
$ echo "-----END CERTIFICATE REQUEST-----" >> sslserver.csr

Tip	To find a page in the Wiki, enter the keywords in search field, press Enter, then click Wikis.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Exporting CA System Certificates

Overview

Exporting Certificate Chain

Exporting System Certificates and Keys

Exporting System CSRs

Clone this wiki locally