Exporting CA System Certificates - dogtagpki/pki GitHub Wiki
This page describes the process to export CA system certificates, the keys, and the CSRs.
To export the certificate chain into a certificate bundle:
$ pki \ -d /var/lib/pki/pki-tomcat/conf/alias \ -f /var/lib/pki/pki-tomcat/conf/password.conf \ nss-cert-export \ --output-file cert_chain.pem \ --with-chain \ ca_signing
To export the certificate chain into a PKCS #7 file:
$ pki \ -d /var/lib/pki/pki-tomcat/conf/alias \ -f /var/lib/pki/pki-tomcat/conf/password.conf \ pkcs7-export \ --pkcs7 cert_chain.p7b \ ca_signing
To export the system certificates without their keys into separate files execute the following commands:
$ pki-server cert-export ca_signing --cert-file ca_signing.crt $ pki-server cert-export ca_ocsp_signing --cert-file ca_ocsp_signing.crt $ pki-server cert-export ca_audit_signing --cert-file ca_audit_signing.crt $ pki-server cert-export subsystem --cert-file subsystem.crt $ pki-server cert-export sslserver --cert-file sslserver.crt
To export the system certificates with their keys into a PKCS #12 file execute the following command:
$ pki \ -d /var/lib/pki/pki-tomcat/conf/alias \ -f /var/lib/pki/pki-tomcat/conf/password.conf \ pkcs12-export \ --pkcs12 ca-certs.p12 \ --password Secret.123 \ ca_signing \ ca_ocsp_signing \ ca_audit_signing \ subsystem \ sslserver
In PKI 11.5 or later the system CSRs can be obtained directly from the /var/lib/pki/pki-tomcat/conf/certs
folder:
-
ca_signing.csr
-
ca_ocsp_signing.csr
-
ca_audit_signing.csr
-
subsystem.csr
-
sslserver.csr
In older PKI versions the system CSRs need to be exported with the following commands:
$ echo "-----BEGIN CERTIFICATE REQUEST-----" > ca_signing.csr $ sed -n "/^ca.signing.certreq=/ s/^[^=]*=// p" < /var/lib/pki/pki-tomcat/conf/ca/CS.cfg >> ca_signing.csr $ echo "-----END CERTIFICATE REQUEST-----" >> ca_signing.csr $ echo "-----BEGIN CERTIFICATE REQUEST-----" > ca_ocsp_signing.csr $ sed -n "/^ca.ocsp_signing.certreq=/ s/^[^=]*=// p" < /var/lib/pki/pki-tomcat/conf/ca/CS.cfg >> ca_ocsp_signing.csr $ echo "-----END CERTIFICATE REQUEST-----" >> ca_ocsp_signing.csr $ echo "-----BEGIN CERTIFICATE REQUEST-----" > ca_audit_signing.csr $ sed -n "/^ca.audit_signing.certreq=/ s/^[^=]*=// p" < /var/lib/pki/pki-tomcat/conf/ca/CS.cfg >> ca_audit_signing.csr $ echo "-----END CERTIFICATE REQUEST-----" >> ca_audit_signing.csr $ echo "-----BEGIN CERTIFICATE REQUEST-----" > subsystem.csr $ sed -n "/^ca.subsystem.certreq=/ s/^[^=]*=// p" < /var/lib/pki/pki-tomcat/conf/kra/CS.cfg >> subsystem.csr $ echo "-----END CERTIFICATE REQUEST-----" >> subsystem.csr $ echo "-----BEGIN CERTIFICATE REQUEST-----" > sslserver.csr $ sed -n "/^ca.sslserver.certreq=/ s/^[^=]*=// p" < /var/lib/pki/pki-tomcat/conf/kra/CS.cfg >> sslserver.csr $ echo "-----END CERTIFICATE REQUEST-----" >> sslserver.csr