PingDirectory

Exporting certificates

The export-certificate subcommand can be used to export a single certificate or a certificate chain from a key store to a file in either PEM or DER format.

It supports the usual arguments about the key store and the certificate alias, as well as the following additional arguments.

Argument Description

--output-file <path>

The path to the file to which the exported certificates will be written. If this is not provided, then the certificates are written to standard output rather than a file.

--output-format <format>

The format in which the exported certificates are written. The value can be one of PEM or DER, but the DER format can only be used if the output is to be written to a file. If this is not provided, PEM is used as the default format.

--export-certificate-chain

Indicates that a certificate chain should be exported rather than just the end-entity certificate.

--separate-file-per-certificate

Indicates that a separate output file should be used for each certificate that is exported rather than placing them all in one file. If this argument is provided and multiple certificates are to be exported, then “.1” is appended to the path for the indicated output file for the first certificate in the chain, “.2” is appended for the second certificate, and so on.

For example, something like the following could be used to export a certificate chain.

$ bin/manage-certificates export-certificate \
     --keystore config/keystore \
     --keystore-password-file config/keystore.pin \
     --alias server-cert \
     --output-file server-cert.pem \
     --output-format PEM \
     --export-certificate-chain \
     --separate-file-per-certificate

Successfully exported the following certificate to '/ds/server-cert.pem.1':
Subject DN:  CN=ds.example.com,O=Example Corp,C=US
Issuer DN:  CN=Example Root CA,O=Example Corp,C=US
Validity Start Time:  Sunday, November 10, 2019 at 09:09:23 PM CST (3 hours, 26 minutes, 23 seconds ago)
Validity End Time:  Monday, November 9, 2020 at 09:09:23 PM CST (364 days, 20 hours, 33 minutes, 36 seconds from now)
Validity State:  The certificate is currently within the validity window.
Signature Algorithm:  SHA-256 with ECDSA
Public Key Algorithm:  EC (secP256r1)
SHA-1 Fingerprint:  02:51:25:43:3e:68:f5:71:36:e3:5d:df:74:de:f6:a1:5a:db:0f:eb
SHA-256 Fingerprint:  1d:b5:eb:3c:f5:ff:bf:79:a2:a5:86:b8:e4:33:76:4d:d7:50:dc:a4:34:95:37:be:89:45:86:1f:5d:79:c3:93

Successfully exported the following certificate to '/ds/server-cert.pem.2':
Subject DN:  CN=Example Root CA,O=Example Corp,C=US
Issuer DN:  CN=Example Root CA,O=Example Corp,C=US
Validity Start Time:  Sunday, November 10, 2019 at 09:00:07 PM CST (3 hours, 35 minutes, 39 seconds ago)
Validity End Time:  Saturday, November 5, 2039 at 10:00:07 PM CDT (7299 days, 20 hours, 24 minutes, 20 seconds from now)
Validity State:  The certificate is currently within the validity window.
Signature Algorithm:  SHA-256 with ECDSA
Public Key Algorithm:  EC (secP384r1)
SHA-1 Fingerprint:  0e:5c:21:c9:a5:36:0a:24:eb:aa:55:b6:a5:94:0e:e0:56:03:22:e6
SHA-256 Fingerprint:  77:cf:66:d7:3c:8a:fd:67:2d:b7:36:fd:60:1d:ca:eb:1b:03:b1:12:7b:10:1f:26:05:b7:b9:0d:02:e0:38:3e

The export-certificate subcommand only exports the public portion of a certificate and does not include its private key. If you want to export the private key, then you can use the export-private-key subcommand, which supports the following arguments in addition to the usual key store and alias arguments.

Argument Description

--output-file <path>

The path to the file to which the exported private key is written. If this is not provided, then the key is written to standard output rather than a file.

--output-format <format>

The format in which the exported private key is written. The value can be one of PEM or DER, but the DER format can only be used if the output is to be written to a file. If this is not provided, PEM is used as the default format.

The following example includes some of the arguments defined previously.

$ bin/manage-certificates export-private-key \
 	--keystore config/keystore \
 	--keystore-password-file config/keystore.pin \
 	--alias server-cert \
 	--output-file server-cert-key.pem \
 	--output-format PEM

Successfully exported the private key.