Retrieving Archived Key - dogtagpki/pki GitHub Wiki

Overview

This page describes the process to retrieve a key or passphrase already archived in KRA.

By default the retrieval will use randomly generated security parameters. To retrieve with specific security parameters see PKI KRA Key Retrieve Java API.

By default the CLI will retrieve the latest transport certificate from the KRA. For efficiency, the transport certificate can be stored into the local NSS database, then the nickname can be specified using the --transport <nickname> parameter.

Retrieving Archived Certificate Key

To retrieve the key archived during certificate enrollment, prepare the request in a file (e.g. request.json):

{
    "ClassName" : "com.netscape.certsrv.key.KeyRecoveryRequest",
    "Attributes" : {
        "Attribute" : [ {
            "name" : "keyId",
            "value" : "<key ID>"
        }, {
            "name" : "certificate",
            "value" : "<base64-encoded certificate>"
        }, {
            "name" : "passphrase",
            "value" : "<password for PKCS #12 file>"
        } ]
    }
}

Then execute the following command:

$ pki -n caadmin kra-key-retrieve \
    --input request.json \
    --output-data output.p12

The PKCS #12 file will contain the certificate and the archived key.

Availability: Since PKI 11.6.

Retrieving Archived Key

To retrieve a key and store it into a file:

$ pki -n caadmin kra-key-retrieve --keyID 0x79b13ade36da728cf9400f659e84e417 --output-data private.key
------------------------
Retrieve Key Information
------------------------
  Nonce data: rYkeh4Rb+MI=
  Output: private.key

To retrieve a key and display it on the screen:

$ pki -n caadmin kra-key-retrieve --keyID 0x79b13ade36da728cf9400f659e84e417
------------------------
Retrieve Key Information
------------------------
  Nonce data: rYkeh4Rb+MI=
  Actual archived data: MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBALTyleypbSGRnb8+
P/BItA74mTdLX4eFY+fKE4hraeOV4ts+4M9qfry/FJkbMq3dpIpsxuMmGclbHEUQ
J/MfLAHgaxwVLGK8qCGb0IeY0Z7qIbGucSCLcDVpODlsTvqftK/SJZm56ODu7xXh
CZT6MFzv07jJ19MYvNm+1NWthuB1AgMBAAECgYEAgCj5i2ANDaOniRa8DqJP9fKa
ApH+HWya8EcuQodhvnIg9Yy5ie8xyNnF6xNad87uhaS50ZTg2r8PbNMemJJRhenP
xCCF4nht7C7YfeMS9dohAmi15IFga5rRJ2p9TYZXaHBDbg7SUGk4l0/w6kDTXxfI
t9X8h7rc46YfEI2BEoECQQDbVXp/OWbGCtHQMvCX6SeoDbi7j/fF6RkC02fNhlNt
t0yhFPXu+TOifB6wLgoyAPP5aFCBDSkli+4VhsSLQoBRAkEA0zJX2OQywnj5jpfA
NvwHQF0T4tQz/kuNrzM0JNztMeV7EBXdycPWC/jWE0Ml0u5BSqWxa/cHZrT+Ts8p
JLqY5QJAdRTkFxXlLsKHzcPjerQTXzoz6quncBZGK6P+PU//KQo39aTiw3ZzgcEQ
AKwS9S5dDj4I+1qzJD/WD9epA020gQJAO8w5S1Pxe1a9cj5NUkQx2WuBQexLfGjw
CPc6gGV9U29iVL+cOJCWfnVKR9HvV7XWDsizX5pmIhKFHtNRFvEucQJBANS4zipX
m09uLdioohLoKrfp0gdqyiEnCXWX08PwenuU+VsQOVx80nw5S1M+nnFHK4KO+Zsi
xc8DHiXQl0lyXD0=

Retrieving Archived Passphrase

To retrieve a passphrase and store it into a file:

$ pki -n caadmin kra-key-retrieve --keyID 0x00ef325cf2f3a96d85b606eb7d085376dd --output-data secret.txt
------------------------
Retrieve Key Information
------------------------
  Nonce data: 5GbhZgyFsaOOcXT203uosQ==
  Output: secret.txt

To retrieve a passphrase and display it on the screen:

$ pki -n caadmin kra-key-retrieve --keyID 0x00ef325cf2f3a96d85b606eb7d085376dd
------------------------
Retrieve Key Information
------------------------
  Nonce data: 5GbhZgyFsaOOcXT203uosQ==
  Actual archived data: U2VjcmV0LjEyMw==

The passphrase can be decoded with the following command:

$ echo "U2VjcmV0LjEyMw==" | base64 -d
Secret.123
⚠️ **GitHub.com Fallback** ⚠️