414
all
: Specifies both CA and local certificates. The RA certificate is excluded.
ca
: Specifies the CA certificate.
local
: Specifies the local certificates or the local certificates and their private keys.
passphrase p12-key
: Specifies a password for encrypting the private key of a local PKCS12
certificate.
3des-cbc
: Specifies 3DES_CBC for encrypting the private key of a local certificate.
aes-128-cbc
: Specifies 128-bit AES_CBC for encrypting the private key of a local certificate.
aes-192-cbc
: Specifies 192-bit AES_CBC for encrypting the private key of a local certificate.
aes-256-cbc
: Specifies 256-bit AES_CBC for encrypting the private key of a local certificate.
des-cbc
: Specifies DES_CBC for encrypting the private key of a local certificate.
pem-key
: Specifies a password for encrypting the private key of a local certificate in PEM format.
filename filename
: Specifies the name of the file for storing the certificate. The file name is a
case-insensitive string. If you do not specify a file name when you export certificates in PEM format,
this command displays the certificates on the terminal.
Usage guidelines
When you export the CA certificate, the following conditions might exist:
•
If the PKI domain has only one CA certificate, this command exports the CA certificate to a file
or displays it on the terminal.
•
If the PKI domain has a CA certificate chain, this command exports the certificate chain to a file
or displays it on the terminal.
When you export a local certificate to a local file, the local file name might be different from the file
name specified in the command. The file name depends on the usage of the key pair contained in the
certificate.
The following example uses
certificate
as the file name for saving an exported local certificate.
•
If the local certificate contains an RSA signing key pair, the local file name is
certificate-signature
.
•
If the local certificate contains an RSA encryption key pair, the local file name is
certificate-encryption
.
•
If the local certificate contains a general purpose RSA, ECDSA, or DSA key pair, the local file
name is
certificate.
If the PKI domain has two local certificates, the local certificates are exported as follows:
•
If you specify a file name, the two local certificates are exported to two different files.
•
If you do not specify a file name, the local certificates are displayed on the terminal, separated
by system prompts.
When you export all certificates, the following conditions might exist:
•
If the PKI domain has only the CA certificate or local certificates, the result is the same as when
you export the CA certificate or local certificates separately.
•
If the PKI domain has both the CA certificate and local certificates, you get the following results:
If you specify a file name, each local certificate is exported to a separate file with their
associated CA certificate chain.
If you do not specify a file name, the local certificates and CA certificate or CA certificate
chain are displayed on the terminal, separated by system prompts.
When you export all certificates in PKCS12 format, the PKI domain must have a local certificate. If
the domain does not have a local certificate, the export operation fails.