test

System Administration Guide: Security Services

ProcedureHow to Export a Certificate and Private Key in PKCS #12 Format

You can create a file in PKCS #12 format to export private keys and their associated X.509 certificate to other systems. Access to the file is protected by a password.

  1. Find the certificate to export.


    % pktool list
Found number certificates.
1. (X.509 certificate)
      Label:  label-name
      ID: Fingerprint that binds certificate to private key
      Subject: subject-DN
      Issuer:  distinguished-name
      Serial:  hex-serial-number
2. ...

  2. Export the keys and certificate.

    Use the keystore and label from the pktool list command. Provide a file name for the export file. When the name contains a space, surround the name with double quotes.


    % pktool export keystore=keystore outfile=outfile-name label=label-name

  3. Protect the export file with a password.

    At the prompt, type the current password for the keystore. At this point, you create a password for the export file. The receiver must provide this password when importing the file.


    Enter pin for Sun Software PKCS#11 softtoken: Type PIN for token
Enter password to use for accessing the PKCS12 file:Create PKCS #12 password
    Tip –

    Send the password separately from the export file. Best practice suggests that you provide the password out of band, such as during a telephone call.

Example 15–4 Exporting a Certificate and Private Key in PKCS #12 Format

In the following example, a user exports the private keys with their associated X.509 certificate into a standard PKCS #12 file. This file can be imported into other keystores. The PKCS #11 password protects the source keystore. The PKCS #12 password is used to protect private data in the PKCS #12 file. This password is required to import the file.


% pktool list
Found 1 certificates.
1. (X.509 certificate)
      Label: My Cert
      ID: 12:82:17:5f:80:78:eb:44:8b:98:e3:3c:11:c0:32:5e:b6:4c:ea:eb
      Subject: C=US, O=My Company, OU=Security Engineering Group, CN=MyCA
      Issuer: C=US, O=My Company, OU=Security Engineering Group, CN=MyCA
      Serial: 0x01
 

% pktool export keystore=pkcs11 outfile=mydata.p12 label="My Cert"
Enter pin for Sun Software PKCS#11 softtoken: Type PIN for token
Enter password to use for accessing the PKCS12 file:Create PKCS #12 password

The user then telephones the recipient and provides the PKCS #12 password.