Skip to content

Exporting CA System Certificates

Endi S. Dewata edited this page Mar 27, 2024 · 5 revisions

Overview

This page describes the process to export CA system certificates, the keys, and the CSRs.

Exporting Certificate Chain

To export the certificate chain into a certificate bundle:

$ pki \
    -d /var/lib/pki/pki-tomcat/conf/alias \
    -f /var/lib/pki/pki-tomcat/conf/password.conf \
    nss-cert-export \
    --output-file cert_chain.pem \
    --with-chain \
    ca_signing

To export the certificate chain into a PKCS #7 file:

$ pki \
    -d /var/lib/pki/pki-tomcat/conf/alias \
    -f /var/lib/pki/pki-tomcat/conf/password.conf \
    pkcs7-export \
    --pkcs7 cert_chain.p7b \
    ca_signing

Exporting System Certificates and Keys

To export the system certificates without their keys into separate files execute the following commands:

$ pki-server cert-export ca_signing --cert-file ca_signing.crt
$ pki-server cert-export ca_ocsp_signing --cert-file ca_ocsp_signing.crt
$ pki-server cert-export ca_audit_signing --cert-file ca_audit_signing.crt
$ pki-server cert-export subsystem --cert-file subsystem.crt
$ pki-server cert-export sslserver --cert-file sslserver.crt

To export the system certificates with their keys into a PKCS #12 file execute the following command:

$ pki \
    -d /var/lib/pki/pki-tomcat/conf/alias \
    -f /var/lib/pki/pki-tomcat/conf/password.conf \
    pkcs12-export \
    --pkcs12 ca-certs.p12 \
    --password Secret.123 \
    ca_signing \
    ca_ocsp_signing \
    ca_audit_signing \
    subsystem \
    sslserver

Exporting System CSRs

In PKI 11.5 or later the system CSRs can be obtained directly from the /var/lib/pki/pki-tomcat/conf/certs folder:

  • ca_signing.csr

  • ca_ocsp_signing.csr

  • ca_audit_signing.csr

  • subsystem.csr

  • sslserver.csr

In older PKI versions the system CSRs need to be exported with the following commands:

$ echo "-----BEGIN CERTIFICATE REQUEST-----" > ca_signing.csr
$ sed -n "/^ca.signing.certreq=/ s/^[^=]*=// p" < /var/lib/pki/pki-tomcat/conf/ca/CS.cfg >> ca_signing.csr
$ echo "-----END CERTIFICATE REQUEST-----" >> ca_signing.csr

$ echo "-----BEGIN CERTIFICATE REQUEST-----" > ca_ocsp_signing.csr
$ sed -n "/^ca.ocsp_signing.certreq=/ s/^[^=]*=// p" < /var/lib/pki/pki-tomcat/conf/ca/CS.cfg >> ca_ocsp_signing.csr
$ echo "-----END CERTIFICATE REQUEST-----" >> ca_ocsp_signing.csr

$ echo "-----BEGIN CERTIFICATE REQUEST-----" > ca_audit_signing.csr
$ sed -n "/^ca.audit_signing.certreq=/ s/^[^=]*=// p" < /var/lib/pki/pki-tomcat/conf/ca/CS.cfg >> ca_audit_signing.csr
$ echo "-----END CERTIFICATE REQUEST-----" >> ca_audit_signing.csr

$ echo "-----BEGIN CERTIFICATE REQUEST-----" > subsystem.csr
$ sed -n "/^ca.subsystem.certreq=/ s/^[^=]*=// p" < /var/lib/pki/pki-tomcat/conf/kra/CS.cfg >> subsystem.csr
$ echo "-----END CERTIFICATE REQUEST-----" >> subsystem.csr

$ echo "-----BEGIN CERTIFICATE REQUEST-----" > sslserver.csr
$ sed -n "/^ca.sslserver.certreq=/ s/^[^=]*=// p" < /var/lib/pki/pki-tomcat/conf/kra/CS.cfg >> sslserver.csr
$ echo "-----END CERTIFICATE REQUEST-----" >> sslserver.csr
Clone this wiki locally