cmu export
This function exports an X.509 certificate or public key from the token or HSM to a file. The supported formats are Raw (binary) and PEM (base 64 encoding).
Syntax
cmu export -outputfile=<filename> [-handle=<handle#> | -ouid=<OUID#>] [-binary] [-key] [-certdelete]
| Argument(s) | Description |
|---|---|
| -binary | Defines the export format as raw binary (DER encoding) instead of the default PEM (base64) encoding. |
| -certdelete | Specifies that the certificate is to be deleted from the HSM after it is exported (equivalent to running the cmu delete command separately). |
| -handle=<handle#> | The handle of the X.509 certificate to be exported from the HSM to a file. If only one certificate is present on the partition, you do not need to specify its handle. This method of selection applies to Luna HSMs only. On a Luna Cloud HSM service slot, use -ouid. |
| -key | Specifies that the object being exported is a public key. |
| -label=<label> | This option is deprecated and it is ignored. You must specify the -handle or -ouid of the certificate to export. |
| -ouid=<OUID#> | The Object Unified Identifier (OUID) of the X.509 certificate to be exported from the HSM to a file. If only one certificate is present on the partition, you do not need to specify its OUID. This method of selection |
| -outputfile=<filename> | Defines the name of the file that receives the exported certificate. |
Common CMU Options
Some options are commonly available to all cmu commands. They are described below.
| Argument(s) | Description |
|---|---|
| -cu | Specifies that you wish to perform the command as the partition's Crypto User. If the CU is not authorized to perform the operation, the command fails. If a role is not specified, the Crypto Officer role is used by default. |
| -lco | Specifies that you wish to perform the command as the partition's Limited Crypto Officer. If the LCO is not authorized to perform the operation, the command fails. If a role is not specified, the Crypto Officer role is used by default. |
|
-password=<password> -pin=<password> |
The password for the role accessing the current slot, with the current command. If this is not specified, it is prompted. |
| -ped=<PED_ID> | Specifies the PED ID for the registered Remote PED that will handle authentication for the current slot, with the current command. You must specify this parameter to use Remote PED authentication. |
| -slot=<slot#> | The slot to be acted upon, by the current command. If this is not specified, it is prompted. |
| -so | Specifies that you wish to perform the command as Partition Security Officer for that slot. If a role is not specified, the Crypto Officer role is used by default. |
Example
The following command outputs the certificate with handle 7 to file test.cer in PEM format:
cmu export -handle=7 -outputfile=test.cer
