You can create a file in PKCS #12 format to export private keys and their associated X.509 certificate to other systems. Access to the file is protected by a password.
% pktool list Found number certificates. 1. (X.509 certificate) Label: label-name ID: fingerprint that binds certificate to private key Subject: subject-DN Issuer: distinguished-name Serial: hex-serial-number 2. ...
Use the keystore and label from the pktool list command. Provide a file name for the export file. If the name contains a space, surround the name with double quotes.
% pktool export keystore=keystore outfile=outfile-name label=label-name
At the prompt, type the current password for the keystore. At this point, you create a password for the export file. The receiver must provide this password when importing the file.
Enter pin for Sun Software PKCS#11 softtoken: Type PIN for token Enter password to use for accessing the PKCS12 file:Create PKCS #12 password
In the following example, a user exports the private keys with their associated X.509 certificate into a standard PKCS #12 file. This file can be imported into other keystores. The PKCS #11 password protects the source keystore. The PKCS #12 password is used to protect private data in the PKCS #12 file. This password is required to import the file.
% pktool list No. Key Type Key Len. Key Label ---------------------------------------------------- Asymmetric public keys: 1 RSA My Cert Certificates: 1 X.509 certificate Label: My Cert ID: d2:7e:20:04:a5:66:e6:31:90:d8:53:28:bc:ef:55:55:dc:a3:69:93 Subject: C=US, O=My Company, OU=Security Engineering Group, CN=MyCA Issuer: C=US, O=My Company, OU=Security Engineering Group, CN=MyCA Serial: 0x000001
% pktool export keystore=pkcs11 outfile=mydata.p12 label="My Cert" Enter pin for Sun Software PKCS#11 softtoken: Type PIN for token Enter password to use for accessing the PKCS12 file:Create PKCS #12 password
The user then telephones the recipient and provides the PKCS #12 password.