Let's say you have a key database file named example.kdb. Before extracting a certificate from the Key Database, the -validate flag can then be used to determine if the certificates in the Key Database are valid.

~]# ${install_root}/gsk8/bin/gsk8capicmd_64 -cert -validate -db /path/to/example.kdb -stashed
my_root_ca : OK
my_intermediate_certificate : OK
my_server_certificate : OK

Assuming the certificates in the Key Database are valid, you can then list the certificates in the Key Database to determine which certificate is the default personal certificate. Notice my_server_certificate is flagged as * (default) and - (personal). This is important. More on this in a moment. Read on.

~]# ${install_root}/gsk8/bin/gsk8capicmd_64 -cert -list -db /path/to/example.kdb -stashed
Certificates found
* default, - personal, ! trusted, # secret key
-  my_root_ca
-  my_intermediate_certificate
*- my_server_certificate

There are two similiar flags that can be used, -extract and -export.

• -export = This is used when you want to export the certificate into a PKCS12 file, such as example.com.p12
• -extract = This is used when you want to extract the certificate into a .cer, .crt, or .pem file, such as example.com.cer

The -extract option can be used to extract the my_server_certificate from the Key Database.

${install_root}/gsk8/bin/gsk8capicmd_64
-cert
-extract
-db /path/to/example.kdb
-stashed or -pw your_password
-label "my_server_certificate"
-target "cert.cer"

The extracted file will have something like this, meaning the file only contains the public certificate, no private key.

-----BEGIN CERTIFICATE-----
lkdfjslfkalvkjaadvalvkjavlkjavlkjavlakvjal
alsdkvjasvkljavlakjvakvjalvkjalvkjavlkjavl
lavkjalvkjalvjavjaidjaosdvjiaosvjdoa
-----END CERTIFICATE-----