Archiving Key in KRA - dogtagpki/pki GitHub Wiki

Overview

The pki kra-key-archive command can be used to archive a binary data, a passphrase, or a pre-encrypted secret into KRA.

The command accepts a --transport <nickname> parameter that can be used to specify the nickname of the transport certificate already in the client’s NSS database. If not specified, the command will retrieve the transport certificate from KRA and store it in the client’s NSS database.

Archiving Binary Data

To archive a binary data:

$ pki -n caadmin kra-key-archive \
    --clientKeyID testkey \
    --input-data private.key
------------------------
Archival request details
------------------------
  Request ID: 0xe8a04029b85754300eea95e9abe88e8d
  Key ID: 0x79b13ade36da728cf9400f659e84e417
  Type: securityDataEnrollment
  Status: complete
  Creation Time: Tue Jun 13 16:26:05 CDT 2023
  Modification Time: Tue Jun 13 16:26:05 CDT 2023

Archiving Passphrase

To archive a passphrase:

$ pki -n caadmin kra-key-archive \
    --clientKeyID testkey \
    --passphrase Secret.123
------------------------
Archival request details
------------------------
  Request ID: 0xb28dfaa00f33ce85823c9a2693f8a5f
  Key ID: 0x00ef325cf2f3a96d85b606eb7d085376dd
  Type: securityDataEnrollment
  Status: complete
  Creation Time: Tue Jun 13 16:23:47 CDT 2023
  Modification Time: Tue Jun 13 16:23:48 CDT 2023

Archiving Pre-encrypted Secret

To archive a pre-encrypted secret, store the input in a file (e.g. input.json):

{
    "Attributes": {
        "Attribute": [
            {
                "name": "clientKeyID",
                "value": "testkey"
            },
            {
                "name": "dataType",
                "value":"symmetricKey"
            },
            {
                "name": "wrappedPrivateData",
                "value": "..."
            },
            {
                "name": "keyAlgorithm",
                "value": "AES"
            },
            {
                "name": "realm",
                "value": "example"
            },
            {
                "name": "keySize",
                "value": "128"
            }
        ]
    },
    "ClassName": "com.netscape.certsrv.key.KeyArchivalRequest"
}

Then execute the following command:

$ pki -n caadmin kra-key-archive \
    --input input.json \
    --input-format json

See Also

⚠️ **GitHub.com Fallback** ⚠️