Importing and exporting keys using the command line
This topic describes how to import and export keys.
Overview
If we want to reuse an existing key from another database, we can import that key. Conversely, we can export our key into another database or to a PKCS12 file. PKCS12 is a standard for securely storing private keys and certificates. We can use the IKEYCMD command-line interface or GSKCapiCmd tool.
Procedure
- Use the IKEYCMD command-line interface to import certificates from another key database, as follows:
gsk7cmd -cert -import -db <filename> -pw <password> -label <label> -type <cms | JKS | JCEKS| pkcs12> -new_label <label> -target <filename> -target_pw <password> -target_type <cms | JKS |JCEKS | pkcs12>...where...
- -cert - specifies a certificate.
- -import - specifies an import action.
- -db <filename> - indicates the name of the database.
- -pw <password> - indicates the password to access the key database.
- -label <label> - indicates the label that is attached to the certificate.
- -new_label <label> - re-labels the certificate in the target key database.
- -type <cms | JKS | JCEKS | pkcs12> - specifies the type of database.
- -target <filename> - indicates the destination database.
- -target_pw <password> - indicates the password for the key database if -target specifies a key database
- -target_type <cms | JKS | JCEKS | pkcs12> - indicates the type of database that is specified by the -target opearnd.
- pfx - imported file in Microsoft .pfx file format.
Use the GSKCapiCmd tool to import certificates from another key database. GSKCapiCmd is a tool that manages keys, certificates, and certificate requests within a CMS key database. The tool has all of the functionality that the existing GSKit Java command line tool has, except GSKCapiCmd supports CMS and PKCS11 key databases. If we plan to manage key databases other than CMS or PKCS11, use the existing Java tool. We can use GSKCapiCmd to manage all aspects of a CMS key database. GSKCapiCmd does not require Java to be installed on the system.
gsk7capicmd -cert -import -db <name> |-crypto <module name> [-tokenlabel <token label>][-pw <passwd>] [-secondaryDB <filename> -secondaryDBpw <password>] -label <label> [-type < cms>] -target <name> [-target_pw<passwd>][-target_type <cms|pkcs11>][-new_label < label>][-fips]
- Use the IKEYCMD command-line interface to export certificates from another key database, as follows:
gsk7cmd -cert -export -db <filename> -pw <password> -label <label> -type <cms | jks | jceks | pkcs12> -target <filename> - target_pw <password> -target_type <cms | jks | jceks | pkcs12>...where...
- -cert specifies a personal certificate.
- -export specifies an export action.
- -db <filename> is the name of the database.
- -pw <password> is the password to access the key database.
- -label <label> is the label attached to the certificate.
- -target <filename> is the destination file or database. If the target_type is JKS, CMS, or JCEKS, the database specified here must exist.
- -target_pw is the password for the target key database.
- -target_type <cms | jks | jceks | pkcs12> is the type of database specified by the -target operand.
- -type <cms | jks | jceks | pkcs12> is the type of database key.
Use the GSKCapiCmd tool to export certificates from another key database. GSKCapiCmd is a tool that manages keys, certificates, and certificate requests within a CMS key database. The tool has all of the functionality that the existing GSKit Java command line tool has, except GSKCapiCmd supports CMS and PKCS11 key databases. If we plan to manage key databases other than CMS or PKCS11, use the existing Java tool. We can use GSKCapiCmd to manage all aspects of a CMS key database. GSKCapiCmd does not require Java to be installed on the system.
gsk7capicmd -cert extract -db <name> |-crypto <module name> [-tokenlabel <token label>] -pw <passwd> -label <label> -target <name> [-format <ascii | binary>] [-secondaryDB <filename> -secondaryDBpw <password> ][-fips]
Related concepts
Manage keys with the IKEYCMD command line interface (Distributed systems)