IMPORTANT:
To export all certificates in the PKCS12 format, the PKI domain must have at least one local certificate.
Otherwise, the export operation fails.
To back up or import certificates, you can export the CA certificate and the local certificates in a PKI
domain to local files or display them on a terminal.
When you export a local certificate with the RSA key pair, the name of the target file might not be the
same as specified in the command. It depends on the purpose of the key pair of the certificate.
To export certificates:
Step
1.
Enter system view.
2.
Export certificates.
Removing a certificate
CAUTION:
When you remove the CA certificate in a domain, the system also removes the local certificates, peer
certificates, and CRLs in the same PKI domain.
Each certificate issued by a CA has a validity period. If the certificate is about to expire or your private
key is compromised, do the following tasks:
Remove the local certificate.
1.
Use public-key local destroy to destroy the existing local key pair.
2.
Use public-key local create to generate a new key pair.
3.
Request a new certificate.
4.
To remove a certificate:
Step
1.
Enter system view.
Command
system-view
•
Export certificates in DER format:
pki export domain domain-name der { all |
ca | local } filename filename
•
Export certificates in PKCS12 format:
pki export domain domain-name p12 { all |
local } passphrase p12passwordstring
filename filename
•
Export certificates in PEM format:
pki export domain domain-name pem { { all |
local } [ { 3des-cbc | aes-128-cbc |
aes-192-cbc | aes-256-cbc | des-cbc }
pempasswordstring ] | ca } [ filename
filename ]
Command
system-view
130
Remarks
N/A
Configure at least one
command.
If you do not specify a file name
when you export a certificate in
PEM format, the certificate is
displayed on the terminal.
Remarks
N/A