Retrieving Archived Key - dogtagpki/pki GitHub Wiki
This page describes the process to retrieve a key or passphrase already archived in KRA.
By default the retrieval will use randomly generated security parameters. To retrieve with specific security parameters see PKI KRA Key Retrieve Java API.
By default the CLI will retrieve the latest transport certificate from the KRA.
For efficiency, the transport certificate can be stored into the local NSS database,
then the nickname can be specified using the --transport <nickname>
parameter.
To retrieve the key archived during certificate enrollment, prepare the request in a file (e.g. request.json
):
{ "ClassName" : "com.netscape.certsrv.key.KeyRecoveryRequest", "Attributes" : { "Attribute" : [ { "name" : "keyId", "value" : "<key ID>" }, { "name" : "certificate", "value" : "<base64-encoded certificate>" }, { "name" : "passphrase", "value" : "<password for PKCS #12 file>" } ] } }
Then execute the following command:
$ pki -n caadmin kra-key-retrieve \ --input request.json \ --output-data output.p12
The PKCS #12 file will contain the certificate and the archived key.
Availability: Since PKI 11.6.
To retrieve a key and store it into a file:
$ pki -n caadmin kra-key-retrieve --keyID 0x79b13ade36da728cf9400f659e84e417 --output-data private.key ------------------------ Retrieve Key Information ------------------------ Nonce data: rYkeh4Rb+MI= Output: private.key
To retrieve a key and display it on the screen:
$ pki -n caadmin kra-key-retrieve --keyID 0x79b13ade36da728cf9400f659e84e417 ------------------------ Retrieve Key Information ------------------------ Nonce data: rYkeh4Rb+MI= Actual archived data: MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBALTyleypbSGRnb8+ P/BItA74mTdLX4eFY+fKE4hraeOV4ts+4M9qfry/FJkbMq3dpIpsxuMmGclbHEUQ J/MfLAHgaxwVLGK8qCGb0IeY0Z7qIbGucSCLcDVpODlsTvqftK/SJZm56ODu7xXh CZT6MFzv07jJ19MYvNm+1NWthuB1AgMBAAECgYEAgCj5i2ANDaOniRa8DqJP9fKa ApH+HWya8EcuQodhvnIg9Yy5ie8xyNnF6xNad87uhaS50ZTg2r8PbNMemJJRhenP xCCF4nht7C7YfeMS9dohAmi15IFga5rRJ2p9TYZXaHBDbg7SUGk4l0/w6kDTXxfI t9X8h7rc46YfEI2BEoECQQDbVXp/OWbGCtHQMvCX6SeoDbi7j/fF6RkC02fNhlNt t0yhFPXu+TOifB6wLgoyAPP5aFCBDSkli+4VhsSLQoBRAkEA0zJX2OQywnj5jpfA NvwHQF0T4tQz/kuNrzM0JNztMeV7EBXdycPWC/jWE0Ml0u5BSqWxa/cHZrT+Ts8p JLqY5QJAdRTkFxXlLsKHzcPjerQTXzoz6quncBZGK6P+PU//KQo39aTiw3ZzgcEQ AKwS9S5dDj4I+1qzJD/WD9epA020gQJAO8w5S1Pxe1a9cj5NUkQx2WuBQexLfGjw CPc6gGV9U29iVL+cOJCWfnVKR9HvV7XWDsizX5pmIhKFHtNRFvEucQJBANS4zipX m09uLdioohLoKrfp0gdqyiEnCXWX08PwenuU+VsQOVx80nw5S1M+nnFHK4KO+Zsi xc8DHiXQl0lyXD0=
To retrieve a passphrase and store it into a file:
$ pki -n caadmin kra-key-retrieve --keyID 0x00ef325cf2f3a96d85b606eb7d085376dd --output-data secret.txt ------------------------ Retrieve Key Information ------------------------ Nonce data: 5GbhZgyFsaOOcXT203uosQ== Output: secret.txt
To retrieve a passphrase and display it on the screen:
$ pki -n caadmin kra-key-retrieve --keyID 0x00ef325cf2f3a96d85b606eb7d085376dd ------------------------ Retrieve Key Information ------------------------ Nonce data: 5GbhZgyFsaOOcXT203uosQ== Actual archived data: U2VjcmV0LjEyMw==
The passphrase can be decoded with the following command:
$ echo "U2VjcmV0LjEyMw==" | base64 -d Secret.123