Archiving Key in KRA - dogtagpki/pki GitHub Wiki
The pki kra-key-archive command can be used to archive a binary data, a passphrase, or a pre-encrypted secret into KRA.
The command accepts a --transport <nickname> parameter that can be used to specify the nickname of the transport certificate already in the client’s NSS database. If not specified, the command will retrieve the transport certificate from KRA and store it in the client’s NSS database.
To archive a binary data:
$ pki -n caadmin kra-key-archive \
--clientKeyID testkey \
--input-data private.key
------------------------
Archival request details
------------------------
Request ID: 0xe8a04029b85754300eea95e9abe88e8d
Key ID: 0x79b13ade36da728cf9400f659e84e417
Type: securityDataEnrollment
Status: complete
Creation Time: Tue Jun 13 16:26:05 CDT 2023
Modification Time: Tue Jun 13 16:26:05 CDT 2023
To archive a passphrase:
$ pki -n caadmin kra-key-archive \
--clientKeyID testkey \
--passphrase Secret.123
------------------------
Archival request details
------------------------
Request ID: 0xb28dfaa00f33ce85823c9a2693f8a5f
Key ID: 0x00ef325cf2f3a96d85b606eb7d085376dd
Type: securityDataEnrollment
Status: complete
Creation Time: Tue Jun 13 16:23:47 CDT 2023
Modification Time: Tue Jun 13 16:23:48 CDT 2023
To archive a pre-encrypted secret, store the input in a file (e.g. input.json):
{
"Attributes": {
"Attribute": [
{
"name": "clientKeyID",
"value": "testkey"
},
{
"name": "dataType",
"value":"symmetricKey"
},
{
"name": "wrappedPrivateData",
"value": "..."
},
{
"name": "keyAlgorithm",
"value": "AES"
},
{
"name": "realm",
"value": "example"
},
{
"name": "keySize",
"value": "128"
}
]
},
"ClassName": "com.netscape.certsrv.key.KeyArchivalRequest"
}
Then execute the following command:
$ pki -n caadmin kra-key-archive \
--input input.json \
--input-format json