pki export-certificate
Format
pki export-certificate { ca | local | ocsp } realm realm-name { der | pem | pkcs12 } [ filename filename ]
pki export-certificate local realm realm-name { pem | pkcs12 } filename filename password password
Parameters
Parameter |
Description |
Value |
|---|---|---|
ca |
Exports a CA certificate. |
- |
local |
Exports a local certificate. |
- |
ocsp |
Exports the Online Certificate Status Protocol (OCSP) certificate. |
- |
realm realm-name |
Specifies the PKI realm name of a certificate. |
The PKI realm name must already exist. |
der |
Exports a certificate in DER format. |
- |
pem |
Exports a certificate in PEM format. |
- |
pkcs12 |
Exports a certificate in P12 format. |
- |
filename filename |
Specifies the name of an exported certificate file. |
The value is a string of 1 to 64 case-sensitive characters without spaces and question marks (?). When the value contains a directory, it is a string of 1 to 127 characters, for example, flash:/8ab3/ab3.pem. |
password password |
Specifies the password of an exported certificate file. |
The value is a string of 6 to 32 case-sensitive characters without question marks (?). To enhance security, a password must meet the minimum strength requirements, that is, the password needs to contain at least three types of the following characters: letters, numerals, and special characters, such as exclamation points (!), at signs (@), number signs (#), dollar signs ($), and percent (%). |
Usage Guidelines
Usage Scenario
To copy a certificate to another device, run the pki export-certificate command to export a certificate to the flash of the local device first, and then transfer the certificate to another device using a file transfer protocol.
Before using this command, run the display pki certificate command to view information about certificates on the device.
Prerequisites
A PKI realm has been created using the pki realm (system view) command.
Precautions
When the exported certificate file does not contain a private key, the device does not encrypt this file.
When you export the private key, the system asks you to enter the private key file name. If the private key file name and the certificate file name are the same, the private key and certificate are stored in the same file. If they are different, they are stored in different files.
When you export the private key, the system asks you to enter the private key file format and set the password. The password will be used when you run the pki import-certificate command to import this private key.
After the enrollment self-signed command is used in the PKI realm, you cannot use the pki export-certificate command to export certificates to files.
Example
# Export the local certificate in the PKI realm abc.
<AC6605> system-view [AC6605] pki realm abc [AC6605-pki-realm-abc] quit [AC6605] pki export-certificate local realm abc pem Please enter the name of certificate file <length 1-127>: aa If you only export the certificate, do not export the private key. You can directly enter empty of private key file. Please enter the name of private key file <length 1-127>: Info: Succeeded in exporting the certificate.
