cmu export
This function exports an X.509 certificate or public key from the token or HSM to a file. The supported formats are Raw (binary) and PEM (base 64 encoding).
Syntax
cmu export -outputfile=<filename> [-handle=<handle#> | -ouid=<OUID#>] [-binary] [-key] [-certdelete]
| Argument(s) | Description |
|---|---|
| -binary | Defines the export format as raw binary (DER encoding) instead of the default PEM (base64) encoding. |
| -certdelete | Specifies that the certificate is to be deleted from the HSM after it is exported (equivalent to running the cmu delete command separately). |
| -handle=<handle#> | The handle of the X.509 certificate to be exported from the HSM to a file. If only one certificate is present on the partition, you do not need to specify its handle. This method of selection applies to Luna HSMs only. On a Luna Cloud HSM service slot, use -ouid. |
| -key | Specifies that the object being exported is a public key. |
| -label=<label> | This option is deprecated and it is ignored. You must specify the -handle or -ouid of the certificate to export. |
| -ouid=<OUID#> | The Object Unified Identifier (OUID) of the X.509 certificate to be exported from the HSM to a file. If only one certificate is present on the partition, you do not need to specify its OUID. This method of selection |
| -outputfile=<filename> | Defines the name of the file that receives the exported certificate. |
Common CMU Options
Some options are commonly available to all cmu commands. They are described below.
| Argument(s) | Description |
|---|---|
| -ecdsasigpadalways | Specifies that you wish to pad ecdsa signature R and S values with a leading 0. |
| -ecdsasigpadnever | Specifies that you do not wish to pad ecdsa signature R and S values. |
|
-password=<password> -pin=<password> |
The password for the role accessing the current slot, with the current command. If this is not specified, it is prompted. |
| -slot=<slot#> | The slot to be acted upon, by the current command. If this is not specified, it is prompted. |
| -so | Specifies that you wish to perform the command as Partition Security Officer for that slot. If a role is not specified, the Crypto Officer role is used by default. |
Example
The following command outputs the certificate with handle 7 to file test.cer in PEM format:
cmu export -handle=7 -outputfile=test.cer
