IBM Global Security Kit (GSKit) - Export certificate private key from a Key Database file

Let's say you have a key database file named example.kdb. Before extracting a certificate from the Key Database, the -validate flag can then be used to determine if the certificates in the Key Database are valid.

~]# ${install_root}/gsk8/bin/gsk8capicmd_64 -cert -validate -db /path/to/example.kdb -stashed
my_root_ca : OK
my_intermediate_certificate : OK
my_server_certificate : OK


Assuming the certificates in the Key Database are valid, you can then list the certificates in the Key Database to determine which certificate is the default personal certificate. Notice my_server_certificate is flagged as * (default) and - (personal). This is important. More on this in a moment. Read on.

~]# ${install_root}/gsk8/bin/gsk8capicmd_64 -cert -list -db /path/to/example.kdb -stashed
Certificates found
* default, - personal, ! trusted, # secret key
-  my_root_ca
-  my_intermediate_certificate
*- my_server_certificate


There are two similiar flags that can be used, -extract and -export.

  • -export = This is used when you want to export the certificate into a PKCS12 file, such as
  • -extract = This is used when you want to extract the certificate into a .cer, .crt, or .pem file, such as

In this example, the certificate is extracted into a PKCS12 file.

-db /path/to/key.kdb
-stashed or -pw your_password
-label ""
-target ""
-target_pw "any password"


Did you find this article helpful?

If so, consider buying me a coffee over at Buy Me A Coffee

Add a Comment

We will never share your name or email with anyone. Enter your email if you would like to be notified when we respond to your comment.

Please enter 49cbe in the box below so that we can be sure you are a human.


Web design by yours truely - me, myself, and I   |   |