Importing and exporting keys using the command line
This topic describes how to import and export keys.
About this task
Procedure
-
Use the gskcmd command-line interface to import certificates from another
key database. Enter the following command on one line:
where:install_root/bin/gskcmd -cert -import -db filename [-pw password | -stashed] -label label -new_label new_label -target filename -target_pw password [-type cms | jceks | jks | kdb | p12 | pkcs12] [-target_type cms | jceks | jks | kdb | p12 | pkcs12 | pkcs12s2]
- -cert specifies a certificate.
- -import specifies an import action.
- -db
filename
indicates the name of the database. - -pw
password
indicates the password to access the key database. Instead of -pw, you can specify -stashed to use the password for the key database from the stash file. - -label
label
indicates the label that is attached to the certificate. - -new_label
new_label
re-labels the certificate in the target key database. - -target
filename
indicates the destination database. - -target_pw
password
indicates the password for the key database if -target specifies a key database. - -type indicates the source database that is specified by the
-db operand. Options are
cms
,jceks
,jks
,kdb
,p12
, andpkcs12
. - -target_type indicates the type of database that is specified by the
-target operand. Options are
cms
,jceks
,jks
,kdb
,p12
,pkcs12
, andpkcs12s2
.
- Use the GSKCapiCmd tool to import certificates from another key
database.
GSKCapiCmd is a tool that manages keys, certificates, and certificate requests within a CMS key database. The tool has all of the functionality that the existing IBM® Global Security Kit (GSKit) Java™ command line tool has, except GSKCapiCmd supports CMS and PKCS11 key databases. If you plan to manage key databases other than CMS or PKCS11, use the existing Java tool. You can use GSKCapiCmd to manage all aspects of a CMS key database. GSKCapiCmd does not require Java to be installed on the system.
install_root/bin/gskcapicmd -cert -import -db name | -crypto module_name [-tokenlabel token_label] [-pw password | -stashed] [-secondaryDB filename -secondaryDBpw password] -label label [-new_label new_label] -target name [-target_pw password] [-type cms | jceks | jks | kdb | p12 | pkcs12] [-target_type cms | pkcs11] [-fips]
-
Use the gskcmd command-line interface to export certificates from another
key database. Enter the following command on one line:
where:install_root/bin/gskcmd -cert -export -db filename [-pw password | -stashed] -label label -target filename -target_pw password [-type cms | jceks | jks | kdb | p12 | pkcs12] [-target_type cms | jks | jceks | pkcs12]
- -cert specifies a personal certificate.
- -export specifies an export action.
- -db
filename
is the name of the database. - -pw
password
is the password to access the key database. - -pw
password
indicates the password to access the key database. Instead of -pw, you can specify -stashed to use the password for the key database from the stash file. - -label
label
is the label attached to the certificate. - -target
filename
is the destination file or database. If the target_type is JKS, CMS, or JCEKS, the database specified here must exist. - -target_pw
password
is the password for the target key database. - -type indicates the source database that is specified by the
-db operand. Options are
cms
,jceks
,jks
,kdb
,p12
, andpkcs12
. - -target_type is the type of database specified by the -target
operand. Options are
cms
,jks
,jceks
, andpkcs12
.
- Use the GSKCapiCmd tool to export certificates from another key
database.
GSKCapiCmd is a tool that manages keys, certificates, and certificate requests within a CMS key database. The tool has all the functionality that the existing IBM Global Security Kit (GSKit) Java command line tool has, except GSKCapiCmd supports CMS and PKCS11 key databases. If you plan to manage key databases other than CMS or PKCS11, use the existing Java tool. You can use GSKCapiCmd to manage all aspects of a CMS key database. GSKCapiCmd does not require Java to be installed on the system.
where:install_root/bin/gskcapicmd -cert -export -db name | -crypto module_name [-tokenlabel token_label] [-pw password | -stashed] [-secondarydb filename -secondarydbpw password -secondarydbtype type] [-label label] [-encryption strong | weak] -target name | -crypto module_name [-target_pw password | -target_stashed] [-type cms | kdb | pkcs11 | pkcs12 | p12] [-target_type cms | kdb | pkcs11 | pkcs12 | p12]
- -cert specifies a personal certificate.
- -export specifies an export action.
- -db
name
is the name of the database. Instead of -db, you can specify -cryptomodule_name
to use crypto instead of a key database. - -pw
password
is the password to access the key database. Instead of -pw, you can specify -stashed to use the password for the key database from the stash file. - -tokenlabel
token_label
specifies the label attached to the token if -crypto is used. - -secondarydb
filename
specifies a file name for a second database if -crypto is used. - -secondarydbpw
password
is the password for -secondarydb. - -secondarydbtype
type
is the type for -secondarydb. - -label
label
is the label attached to the certificate. - -encryption specifies to use encryption. Options are
strong
andweak
. - -target
filename
is the destination file or database. If the target_type is JKS, CMS, or JCEKS, the database specified forfilename
must exist. Instead of -target, you can specify -cryptomodule_name
. - -target_pw
password
is the password for the target key database if -target is used. Instead of-target_pw, you can specify -target_stashed. - -type indicates the source database that is specified by the
-db operand. Options are
cms
,jceks
,jks
,kdb
,p12
, andpkcs12
. - -target_type is the type of database specified by the -target
operand. Options are
cms
,jks
,jceks
, andpkcs12
.