Copying certificates from one system to another.

Document ID : KB000012797
Last Modified Date : 14/02/2018
Show Technical Document Details
Question:

How do you copy certificates from one system to another that do not share the CA Top Secret Security File?

Answer:

To copy a certificate from one system to another, you use the TSS EXPORT command.

You first must determine if the certificate has a public and private key or just a public key to determine what TSS EXPORT command to use.

Issues a:
TSS LIST(owningacid) DIGICERT(digicertname)

and look for the 'PRIVATE KEYSIZE'.

If the PRIVATE KEYSIZE is present then, the certificate has a public and private key.
If it doesnt, then you just have the public key. Public root certificates like Godaddy, Geotrust, Equifax will only have the public key.


To TSS EXPORT a certificate with a public and private key, use a PKCS12 FORMAT on the TSS EXPORT command. Example:

TSS EXPORT(owningacid) DIGICERT(digicertname) FORMAT(PKCS12DER) PKCSPASS(user_defined_password) DCDSN(datasetname)

FORMAT - support many different certificate formats. PKCS12xxx formats should be used to export the public and private key. CERTDER is the default if FORMAT keyword is not used. CERTDER will only export the public key.

PKCSPASS - a user defined password which secures the dataset. Please keep the password in a safe place. There is no way to retrieve it once lost. If you lose it, you can always re-EXPORT the certificate and specify a new password.

DCDSN - is a dataset whe certificate will be exported. The dataset name must not exist. CA Top Secret will create and initialize it. Please make sure you are authorized to access the dataset.

To TSS EXPORT a certificate with just a public key, issue the following command:

TSS EXPORT(owningacid) DIGICERT(digicertname) FORMAT(CERTDER) DCDSN(datasetname)

Please note that their is no PKCSPASS keyword to be used with this command.

The datasets can now be FTPed in BINARY to their destination.

To add a certificate to the security file with a public and private key, issue a:

TSS ADD(owningacid) DIGICERT(digicertname) PKCSPASS(user_defined_password) LABLCERT(certificatelabel) DCDSN(datasetname) TRUST

To add a certificate to the security file with just a public key, issue a:

TSS ADD(owningacid) DIGICERT(digicertname) DCDSN(datasetname) LABLCERT(certificatelabel) TRUST