Exporting certificates
Use the export-certificate
subcommand to export a single certificate or a certificate chain from a key store to a file in PEM or DER format.
The export-certificate
subcommand supports the normal arguments about the key store and certificate alias, in addition to the following arguments:
--output-file {path}
-
Path to the file to which exported certificates are written. If this value is not provided, the certificates are written to standard output rather than a file.
--output-format {format}
-
Format in which exported certificates are written. The value can be
PEM
orDER
, but the DER format can be used only if the output is written to a file. Defaults toPEM
if no value is specified. --export-certificate-chain
-
Indicates that a certificate chain, rather than the end-entity certificate only, is to be exported.
--separate-file-per-certificate
-
Indicates the use of separate output files for each exported certificate, rather than placing all of the certificates in a single file. If this argument is provided and multiple certificates are to be exported, then
.1
is appended to the path for the indicated output file for the first certificate in the chain,.2
is appended for the second certificate, and so on.
The following example exports a certificate chain.
$ bin/manage-certificates export-certificate \
--keystore config/keystore \
--keystore-password-file config/keystore.pin \
--alias server-cert \
--output-file server-cert.pem \
--output-format PEM \
--export-certificate-chain \
--separate-file-per-certificate
Successfully exported the following certificate to '/ds/server-cert.pem.1':
Subject DN: CN=ds.example.com,O=Example Corp,C=US
Issuer DN: CN=Example Root CA,O=Example Corp,C=US
Validity Start Time: Sunday, November 10, 2019 at 09:09:23 PM CST
(3 hours, 26 minutes, 23 seconds ago)
Validity End Time: Monday, November 9, 2020 at 09:09:23 PM CST
(364 days, 20 hours, 33 minutes, 36 seconds from now)
Validity State: The certificate is currently within the validity window.
Signature Algorithm: SHA-256 with ECDSA
Public Key Algorithm: EC (secP256r1)
SHA-1 Fingerprint: 02:51:25:43:3e:68:f5:71:36:e3:5d:df:74:de:f6:a1:5a:db:0f:eb
SHA-256 Fingerprint:
1d:b5:eb:3c:f5:ff:bf:79:a2:a5:86:b8:e4:33:76:4d:d7:50:dc:a4:34:95:37:be:89:45:
86:1f:5d:79:c3:93
Successfully exported the following certificate to '/ds/server-cert.pem.2':
Subject DN: CN=Example Root CA,O=Example Corp,C=US
Issuer DN: CN=Example Root CA,O=Example Corp,C=US
Validity Start Time: Sunday, November 10, 2019 at 09:00:07 PM CST
(3 hours, 35 minutes, 39 seconds ago)
Validity End Time: Saturday, November 5, 2039 at 10:00:07 PM CDT
(7299 days, 20 hours, 24 minutes, 20 seconds from now)
Validity State: The certificate is currently within the validity window.
Signature Algorithm: SHA-256 with ECDSA
Public Key Algorithm: EC (secP384r1)
SHA-1 Fingerprint: 0e:5c:21:c9:a5:36:0a:24:eb:aa:55:b6:a5:94:0e:e0:56:03:22:e6
SHA-256 Fingerprint:
77:cf:66:d7:3c:8a:fd:67:2d:b7:36:fd:60:1d:ca:eb:1b:03:b1:12:7b:10:1f:26:
05:b7:b9:0d:02:e0:38:3e
The export-certificate
subcommand exports only the public portion of a certificate. Its private key is not included. To export the private key, use the export-private-key
subcommand, which supports the following arguments, in addition to the usual key store and alias arguments:
--output-file {path}
-
Path to the file to which the exported private key is written. If this value is not provided, the key is written to standard output rather than a file.
--output-format {format}
-
Format in which the exported private key is written. The value can be
PEM
orDER
, but the DER format is used only if the output is written to a file. Defaults toPEM
if no value is specified.
The following code provides an example of the export-private-key
subcommand .
$ bin/manage-certificates export-private-key \
--keystore config/keystore \
--keystore-password-file config/keystore.pin \
--alias server-cert \
--output-file server-cert-key.pem \
--output-format PEM
Successfully exported the private key.