Importing and exporting keys using the command line

This topic describes how to import and export keys.

• Use the gskcapicmd command-line interface to import certificates from another key database. Enter the following command on one line:

  install_root/bin/gskcapicmd -cert -import -db filename
  [-pw password | -stashed] -label label -new_label new_label
  -target filename -target_pw password
  [-type cms | jceks | kdb | p12 | pkcs12] [-target_type cms | jceks | kdb | p12 | pkcs12 | pkcs12s2]

  where:

  • -cert specifies a certificate.
  • -import specifies an import action.
  • -db filename indicates the name of the database.
  • -pw password indicates the password to access the key database. Instead of -pw, you can specify -stashed to use the password for the key database from the stash file.
  • -label label indicates the label that is attached to the certificate.
  • -new_label new_label re-labels the certificate in the target key database.
  • -target filename indicates the destination database.
  • -target_pw password indicates the password for the key database if -target specifies a key database.
  • -type indicates the source database that is specified by the -db operand. Options are cms, jceks, kdb, p12, and pkcs12.
  • -target_type indicates the type of database that is specified by the -target operand. Options are cms, jceks, kdb, p12, pkcs12, and pkcs12s2.
• Use the GSKCapiCmd tool to import certificates from another key database.

  GSKCapiCmd is a tool that manages keys, certificates, and certificate requests within a CMS key database. The tool has all of the functionality that the existing IBM® Global Security Kit (GSKit) Java™ command line tool has, except GSKCapiCmd supports CMS and PKCS11 key databases. If you plan to manage key databases other than CMS or PKCS11, use the existing Java tool. You can use GSKCapiCmd to manage all aspects of a CMS key database. GSKCapiCmd does not require Java to be installed on the system.

  install_root/bin/gskcapicmd -cert -import 
  -db name | -crypto module_name [-tokenlabel token_label]
  [-pw password | -stashed] [-secondaryDB filename -secondaryDBpw password] 
  -label label [-new_label new_label]
  -target name [-target_pw password] 
  [-type cms | jceks | kdb | p12 | pkcs12] [-target_type cms | pkcs11] [-fips]

• Use the gskcapicmd command-line interface to export certificates from another key database. Enter the following command on one line:

  install_root/bin/gskcapicmd -cert -export
  -db filename [-pw password | -stashed] -label label 
  -target filename -target_pw password 
  [-type cms | jceks | kdb | p12 | pkcs12] [-target_type cms | jceks | pkcs12]

  where:

  • -cert specifies a personal certificate.
  • -export specifies an export action.
  • -db filename is the name of the database.
  • -pw password is the password to access the key database.
  • -pw password indicates the password to access the key database. Instead of -pw, you can specify -stashed to use the password for the key database from the stash file.
  • -label label is the label attached to the certificate.
  • -target filename is the destination file or database. If the target_type is CMS or JCEKS, the database specified here must exist.
  • -target_pw password is the password for the target key database.
  • -type indicates the source database that is specified by the -db operand. Options are cms, jceks, kdb, p12, and pkcs12.
  • -target_type is the type of database specified by the -target operand. Options are cms, jceks, and pkcs12.
• Use the GSKCapiCmd tool to export certificates from another key database.

  GSKCapiCmd is a tool that manages keys, certificates, and certificate requests within a CMS key database. The tool has all the functionality that the existing IBM Global Security Kit (GSKit) Java command line tool has, except GSKCapiCmd supports CMS and PKCS11 key databases. If you plan to manage key databases other than CMS or PKCS11, use the existing Java tool. You can use GSKCapiCmd to manage all aspects of a CMS key database. GSKCapiCmd does not require Java to be installed on the system.

  install_root/bin/gskcapicmd -cert -export 
  -db name | -crypto module_name [-tokenlabel token_label]
  [-pw password | -stashed] [-secondarydb filename -secondarydbpw password -secondarydbtype type] 
  [-label label] [-encryption strong | weak] 
  -target name | -crypto module_name [-target_pw password | -target_stashed] 
  [-type cms | kdb | pkcs11 | pkcs12 | p12] [-target_type cms | kdb | pkcs11 | pkcs12 | p12]

  where:

  • -cert specifies a personal certificate.
  • -export specifies an export action.
  • -db name is the name of the database. Instead of -db, you can specify -crypto module_name to use crypto instead of a key database.
  • -pw password is the password to access the key database. Instead of -pw, you can specify -stashed to use the password for the key database from the stash file.
  • -tokenlabel token_label specifies the label attached to the token if -crypto is used.
  • -secondarydb filename specifies a file name for a second database if -crypto is used.
  • -secondarydbpw password is the password for -secondarydb.
  • -secondarydbtype type is the type for -secondarydb.
  • -label label is the label attached to the certificate.
  • -encryption specifies to use encryption. Options are strong and weak.
  • -target filename is the destination file or database. If the target_type is CMS or JCEKS, the database specified for filename must exist. Instead of -target, you can specify -crypto module_name.
  • -target_pw password is the password for the target key database if -target is used. Instead of-target_pw, you can specify -target_stashed.
  • -type indicates the source database that is specified by the -db operand. Options are cms, jceks, kdb, p12, and pkcs12.
  • -target_type is the type of database specified by the -target operand. Options are cms, jceks, and pkcs12.