--- title: Exporting certificates description: Use the export-certificate subcommand to export a single certificate or a certificate chain from a key store to a file in PEM or DER format. component: pingdirectory version: 11.0 page_id: pingdirectory:managing_servers_and_certificates:pd_ds_export_certificates canonical_url: https://docs.pingidentity.com/pingdirectory/11.0/managing_servers_and_certificates/pd_ds_export_certificates.html revdate: August 14, 2024 --- # Exporting certificates Use the `export-certificate` subcommand to export a single certificate or a certificate chain from a key store to a file in PEM or DER format. The `export-certificate` subcommand supports the normal arguments about the key store and certificate alias, in addition to the following arguments: * `--output-file {path}` Path to the file to which exported certificates are written. If this value is not provided, the certificates are written to standard output rather than a file. * `--output-format {format}` Format in which exported certificates are written. The value can be `PEM` or `DER`, but the DER format can be used only if the output is written to a file. Defaults to `PEM` if no value is specified. * `--export-certificate-chain` Indicates that a certificate chain, rather than the end-entity certificate only, is to be exported. * `--separate-file-per-certificate` Indicates the use of separate output files for each exported certificate, rather than placing all of the certificates in a single file. If this argument is provided and multiple certificates are to be exported, then `.1` is appended to the path for the indicated output file for the first certificate in the chain, `.2` is appended for the second certificate, and so on. The following example exports a certificate chain. ```shell $ bin/manage-certificates export-certificate \ --keystore config/keystore \ --keystore-password-file config/keystore.pin \ --alias server-cert \ --output-file server-cert.pem \ --output-format PEM \ --export-certificate-chain \ --separate-file-per-certificate Successfully exported the following certificate to '/ds/server-cert.pem.1': Subject DN: CN=ds.example.com,O=Example Corp,C=US Issuer DN: CN=Example Root CA,O=Example Corp,C=US Validity Start Time: Sunday, November 10, 2019 at 09:09:23 PM CST (3 hours, 26 minutes, 23 seconds ago) Validity End Time: Monday, November 9, 2020 at 09:09:23 PM CST (364 days, 20 hours, 33 minutes, 36 seconds from now) Validity State: The certificate is currently within the validity window. Signature Algorithm: SHA-256 with ECDSA Public Key Algorithm: EC (secP256r1) SHA-1 Fingerprint: 02:51:25:43:3e:68:f5:71:36:e3:5d:df:74:de:f6:a1:5a:db:0f:eb SHA-256 Fingerprint: 1d:b5:eb:3c:f5:ff:bf:79:a2:a5:86:b8:e4:33:76:4d:d7:50:dc:a4:34:95:37:be:89:45: 86:1f:5d:79:c3:93 Successfully exported the following certificate to '/ds/server-cert.pem.2': Subject DN: CN=Example Root CA,O=Example Corp,C=US Issuer DN: CN=Example Root CA,O=Example Corp,C=US Validity Start Time: Sunday, November 10, 2019 at 09:00:07 PM CST (3 hours, 35 minutes, 39 seconds ago) Validity End Time: Saturday, November 5, 2039 at 10:00:07 PM CDT (7299 days, 20 hours, 24 minutes, 20 seconds from now) Validity State: The certificate is currently within the validity window. Signature Algorithm: SHA-256 with ECDSA Public Key Algorithm: EC (secP384r1) SHA-1 Fingerprint: 0e:5c:21:c9:a5:36:0a:24:eb:aa:55:b6:a5:94:0e:e0:56:03:22:e6 SHA-256 Fingerprint: 77:cf:66:d7:3c:8a:fd:67:2d:b7:36:fd:60:1d:ca:eb:1b:03:b1:12:7b:10:1f:26: 05:b7:b9:0d:02:e0:38:3e ``` The `export-certificate` subcommand exports only the public portion of a certificate. Its private key is not included. To export the private key, use the `export-private-key` subcommand, which supports the following arguments, in addition to the usual key store and alias arguments: * `--output-file {path}` Path to the file to which the exported private key is written. If this value is not provided, the key is written to standard output rather than a file. * `--output-format {format}` Format in which the exported private key is written. The value can be `PEM` or `DER`, but the DER format is used only if the output is written to a file. Defaults to `PEM` if no value is specified. The following code provides an example of the `export-private-key` subcommand . ```shell $ bin/manage-certificates export-private-key \ --keystore config/keystore \ --keystore-password-file config/keystore.pin \ --alias server-cert \ --output-file server-cert-key.pem \ --output-format PEM Successfully exported the private key. ```