ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

How To Export A Digital Certificate Private Key In Top Secret

book

Article ID: 53486

calendar_today

Updated On:

Products

Top Secret

Issue/Introduction

What is the method to export a certificate with a Private Key in Top Secret?

One of the problems that can arise if the private key is not on the certificate is:

TSS0499E INVALID SIGNWITH - CERTIFICATE HAS NO PRIVATE KEY

when doing:

TSS GENCERT(acid) DIGICERT(certname) LABLCERT(label)   SUBJECTN('CN="xxx"' ...)   SIGNWITH(CERTAUTH,cacert)   
DCDSN(data.set.name)   KEYSIZE(2048)   KEYUSAGE(HANDSHAKE) NADATE(10/22/22) 

where 'cacert' is the signing certificate and does not have a private key.

Environment

Release:
Component: Top Secret

Resolution

In order to export the private key along with the certificate, certain parameters must be used on the EXPORT command.

The TSS EXPORT must be done with keywords PKCSPASS and FORMAT(PKCS12xxx).

The 'PKCS12xxx' must either be 'PKCS12DER' or PKCS12B64.

PKCS12B64 - Indicates DER encoded (then Base64 encoded) PKCS#12 package.
PKCS12DER - Indicates DER encoded PKCS#12 package.

PKCSPASS - Sets the password to secure the digital certificate withing the dataset.

Below is an example of an TSS EXPORT command that will export the private key:

TSS EXPORT(acid) DIGICERT(digicert_name) DCDSN(dataset_name)
     FORMAT(PKCS12DER) PKCSPASS('password')