IBM Global Security Kit (GSKit) - Export certificate private key from a Key Database file
by
Jeremy Canfield |
Updated: May 15 2024
| IBM Global Security Kit (GSKit) articles
Let's say you have a key database file named example.kdb. Before extracting a certificate from the Key Database, the -validate flag can then be used to determine if the certificates in the Key Database are valid.
~]# ${install_root}/gsk8/bin/gsk8capicmd_64 -cert -validate -db /path/to/example.kdb -stashed
my_root_ca : OK
my_intermediate_certificate : OK
my_server_certificate : OK
Assuming the certificates in the Key Database are valid, you can then list the certificates in the Key Database to determine which certificate is the default personal certificate. Notice my_server_certificate is flagged as * (default) and - (personal). This is important. More on this in a moment. Read on.
~]# ${install_root}/gsk8/bin/gsk8capicmd_64 -cert -list -db /path/to/example.kdb -stashed
Certificates found
* default, - personal, ! trusted, # secret key
- my_root_ca
- my_intermediate_certificate
*- my_server_certificate
There are two similiar flags that can be used, -extract and -export.
- -export = This is used when you want to export the certificate into a PKCS12 file, such as example.com.p12
- -extract = This is used when you want to extract the certificate into a .cer, .crt, or .pem file, such as example.com.cer
In this example, the example.com certificate is extracted into a PKCS12 file.
${install_root}/gsk8/bin/gsk8capicmd_64
-cert
-export
-db /path/to/key.kdb
-stashed or -pw your_password
-label "example.com"
-target "example.com.p12"
-target_pw "any password"
Did you find this article helpful?
If so, consider buying me a coffee over at