Let's say you have a key database file named example.kdb. Before extracting a certificate from the Key Database, the -validate flag can then be used to determine if the certificates in the Key Database are valid.

~]# ${install_root}/gsk8/bin/gsk8capicmd_64 -cert -validate -db /path/to/example.kdb -stashed
my_root_ca : OK
my_intermediate_certificate : OK
my_server_certificate : OK

Assuming the certificates in the Key Database are valid, you can then list the certificates in the Key Database to determine which certificate is the default personal certificate. Notice my_server_certificate is flagged as * (default) and - (personal). This is important. More on this in a moment. Read on.

~]# ${install_root}/gsk8/bin/gsk8capicmd_64 -cert -list -db /path/to/example.kdb -stashed
Certificates found
* default, - personal, ! trusted, # secret key
-  my_root_ca
-  my_intermediate_certificate
*- my_server_certificate

There are two similiar flags that can be used, -extract and -export.

• -export = This is used when you want to export the certificate into a PKCS12 file, such as example.com.p12
• -extract = This is used when you want to extract the certificate into a .cer, .crt, or .pem file, such as example.com.cer

In this example, the example.com certificate is extracted into a PKCS12 file.

${install_root}/gsk8/bin/gsk8capicmd_64
-cert
-export
-db /path/to/key.kdb
-stashed or -pw your_password
-label "example.com"
-target "example.com.p12"
-target_pw "any password"