Archiving Key in KRA - dogtagpki/pki GitHub Wiki
The pki kra-key-archive
command can be used to archive a binary data, a passphrase, or a pre-encrypted secret into KRA.
The command accepts a --transport <nickname>
parameter that can be used to specify the nickname of the transport certificate already in the client’s NSS database. If not specified, the command will retrieve the transport certificate from KRA and store it in the client’s NSS database.
To archive a binary data:
$ pki -n caadmin kra-key-archive \ --clientKeyID testkey \ --input-data private.key ------------------------ Archival request details ------------------------ Request ID: 0xe8a04029b85754300eea95e9abe88e8d Key ID: 0x79b13ade36da728cf9400f659e84e417 Type: securityDataEnrollment Status: complete Creation Time: Tue Jun 13 16:26:05 CDT 2023 Modification Time: Tue Jun 13 16:26:05 CDT 2023
To archive a passphrase:
$ pki -n caadmin kra-key-archive \ --clientKeyID testkey \ --passphrase Secret.123 ------------------------ Archival request details ------------------------ Request ID: 0xb28dfaa00f33ce85823c9a2693f8a5f Key ID: 0x00ef325cf2f3a96d85b606eb7d085376dd Type: securityDataEnrollment Status: complete Creation Time: Tue Jun 13 16:23:47 CDT 2023 Modification Time: Tue Jun 13 16:23:48 CDT 2023
To archive a pre-encrypted secret, store the input in a file (e.g. input.json
):
{ "Attributes": { "Attribute": [ { "name": "clientKeyID", "value": "testkey" }, { "name": "dataType", "value":"symmetricKey" }, { "name": "wrappedPrivateData", "value": "..." }, { "name": "keyAlgorithm", "value": "AES" }, { "name": "realm", "value": "example" }, { "name": "keySize", "value": "128" } ] }, "ClassName": "com.netscape.certsrv.key.KeyArchivalRequest" }
Then execute the following command:
$ pki -n caadmin kra-key-archive \ --input input.json \ --input-format json