H3C MSR Series Command Reference Manual page 505

aes-192-cbc: Specifies 192-bit AES_CBC for encrypting the private key of a local certificate.
aes-256-cbc: Specifies 256-bit AES_CBC for encrypting the private key of a local certificate.
des-cbc: Specifies DES_CBC for encrypting the private key of a local certificate.
pem-key: Specifies a password for encrypting the private key of a local certificate in PEM format.
filename filename: Specifies the name of the file for storing the certificate. The file name is a
case-insensitive string. If you do not specify a file name when you export certificates in PEM format,
this command displays the certificates on the monitor screen.
Usage guidelines
When you export the CA certificate, the following conditions might exist:
•
If the PKI domain has only one CA certificate, this command exports the CA certificate to a file
or displays it on the monitor screen.
•
If the PKI domain has a CA certificate chain, this command exports the certificate chain to a file
or displays it on the monitor screen.
When you export a local certificate to a local file, the local file name might be different from the file
name specified in the command. The file name depends on the usage of the key pair contained in the
certificate.
The following example uses certificate as the file name for saving an exported local certificate.
•
If the local certificate contains an RSA signing key pair, the local file name is
certificate-signature.
•
If the local certificate contains an RSA encryption key pair, the local file name is
certificate-encryption.
•
If the local certificate contains a general purpose RSA, ECDSA, or DSA key pair, the local file
name is certificate.
If the PKI domain has two local certificates, the local certificates are exported as follows:
•
If you specify a file name, the two local certificates are exported to two different files.
•
If you do not specify a file name, the local certificates are displayed on the monitor screen,
separated by system prompts.
When you export all certificates, the following conditions might exist:
•
If the PKI domain has only the CA certificate or local certificates, the result is the same as when
you export the CA certificate or local certificates separately.
•
If the PKI domain has both the CA certificate and local certificates, you get the following results:
If you specify a file name, each local certificate is exported to a separate file with their

associated CA certificate chain.
If you do not specify a file name, the local certificates and CA certificate or CA certificate

chain are displayed on the monitor screen, separated by system prompts.
When you export all certificates in PKCS12 format, the PKI domain must have a local certificate.
Otherwise, the export operation fails.
When you export the local certificates or all certificates in PEM format, you must specify the
cryptographic algorithm and the challenge password for the private key. Otherwise, this command
does not export the private keys of the local certificates. If you specify the cryptographic algorithm
and the password, and the local certificates have their private keys, this command can export the
local certificates with their private keys. If the local certificates do not have their private keys, the
export operation fails.
When you export the local certificates, if the key pair in the PKI domain is changed and no longer
matches the key in the local certificates, the export operation fails.
When you export the local certificates or all certificates, if the PKI domain has two local certificates,
failure of exporting one local certificate does not affect export of the other.
482