When do I need FORMAT(PKCS12DER) when trying to EXPORT or INSERT a digital certificate?

Document ID : KB000026051
Last Modified Date : 14/02/2018
Show Technical Document Details

Question:

When trying to EXPORT or INSERT a digital certificate, the command often includes a FORMAT(PKCS12DER) operand. Other EXPORT and INSERT commands do not include this FORMAT operand. Why is it necessary on some and not others?

Answer:

The PKCS12DER and PKCS12B64 formats are the only formats that permit the inclusion of a digital certificate's private key in the certificate package. The package would include the user certificate, its private key, and all certificate-authority certificates necessary to complete the chain of certificates from the user certificate to the root certificate. If the EXPORT command is issued without a FORMAT operand, the format will default to CERTB64, which not only does not contain the private key, but cannot be used in a Windows environment.

If a certificate is being copied from one system to another to be used as the PERSONAL certificate in a keyring, it must have its private key and FORMAT(PKCS12DER) must appear in both the EXPORT and INSERT commands. The use of FORMAT(PKCS12DER) also requires the inclusion of the PASSWORD parameter. The password is used to encrypt the private key and the certificates. It can be mixed case and up to 255 bytes in length. It is specified on both the EXPORT and INSERT commands.

There is more detailed information on the EXPORT and INSERT commands and the FORMAT and PASSWORD operands in the ACF2 Administrator Guide, the "Digital Certificate Support" chapter.