-
Notifications
You must be signed in to change notification settings - Fork 139
Archiving Key in KRA
Endi S. Dewata edited this page Aug 25, 2021
·
6 revisions
The pki kra-key-archive command can be used to archive a binary data, a passphrase, or a pre-encrypted secret into KRA.
The command accepts a --transport <nickname> parameter that can be used to specify the nickname of the transport certificate already in the client’s NSS database. If not specified, the command will retrieve the transport certificate from KRA and store it in the client’s NSS database.
To archive a binary data:
$ pki -n caadmin kra-key-archive \
--clientKeyID testkey \
--input-data private.key
------------------------
Archival request details
------------------------
Request ID: 0x1
Key ID: 0x1
Type: securityDataEnrollment
Status: complete
To archive a passphrase:
$ pki -n caadmin kra-key-archive \
--clientKeyID testkey \
--passphrase secret
------------------------
Archival request details
------------------------
Request ID: 0x1
Key ID: 0x1
Type: securityDataEnrollment
Status: complete
To archive a pre-encrypted secret, store the input in a file (e.g. input.json):
{
"Attributes": {
"Attribute": [
{
"name": "clientKeyID",
"value": "testkey"
},
{
"name": "dataType",
"value":"symmetricKey"
},
{
"name": "wrappedPrivateData",
"value": "..."
},
{
"name": "keyAlgorithm",
"value": "AES"
},
{
"name": "realm",
"value": "example"
},
{
"name": "keySize",
"value": "128"
}
]
},
"ClassName": "com.netscape.certsrv.key.KeyArchivalRequest"
}
Then execute the following command:
$ pki -n caadmin kra-key-archive \
--input input.json \
--input-format json
|
Tip
|
To find a page in the Wiki, enter the keywords in search field, press Enter, then click Wikis. |