Name

OpenXPKI::Server::Workflow::Activity::Tools::CertificateExport

Description

Create a text export for a certificate using a template. The export file can contain the chain and private key.

Configuration

Activity parameters

cert_identifier: The cert to be exported.
private_key: The PEM encoded private key, protected by the given key_password. Mandatory if the private key can not be found in the datapool.
export_format, optional: Only used in plain export mode (no template and no key export), defines the format of the certificate to be written into the target_key. The default is to export the PEM encoded certificate.

PEM: Exports the certificate as PEM block
DER: Exports the certificate in DER format as binary! Will obey the base64 flag.
PKCS7: Create a PKCS7 bundle including the issuer chain, will contain the root certificate if include_root_cert is set.
PKCS7DER: Same as PKCS7 but the output is the raw binary DER encoding, will obey the base64 flag.
BUNDLE: Same as PKCS7 but the certificates are exported into the context as array of PEM encoded blocks. The entity certificate is the first item.

template: A template toolkit string or, in conjunction with template_dir, the name of a template file to be used to render the output. Will override export_format.
The parser is called with six parameters. Certificates are PEM encoded, keys might be in binary format, depending on the key_format parameter!

cert_identifier: The cert_identifier
certificate: The PEM encoded certificate.
subject: The subject of the certificate
ca: The PEM encoded root certificate, might be empty if the chain can not be completed.
key: The private key, requires the key_password to be set to the correct value. Obviously, keys are only available if created or imported.
chain: An ARRAY of PEM encoded intermediates, might be empty.

template_dir: Optional, if set then template is considered to be a filename in template_dir that contains the template string.
key_password: The password which was used to persist the key, also used for encrypting the exported key if export_password is not set.
key_format, optional: @see OpenXPKI::Server::API2::Plugin::Cert::private_key
export_password, optional: Encrypt the key with this password instead of the input password. Ignored if empty, to export unencrypted, you must also set the unencrypted flag.
unencrypted, optional: Set this to a boolean true value AND set export_password to the empty string to export the key unencrypted.
alias, optional: For PKCS12 sets the so called "friendly name" for the certificate. For Java Keystore sets the keystore alias. Parameter is ignored for any other key types.
include_root_cert, optional: Only valid with PKCS12, JavaKeyStore or Bundle/PKCS7 format. If set to a true value, the root certificate will be included in the output. Warning: Root certificates should be distributed and validated with a defined process and not as a "drive-by"! Enable this only if you are sure about the implications.
die_on_error: Boolean, if true the activity will throw an exception if the private key could not be restored (which usually means that the wrong password was provided). If false/not set, the target_key is just empty on error.
target_key, optional: The context key to write the result to, default is certificate_export. Note: If you export a key and use a persisted workflow, this will leave the (password protected) key readable in the context forever.
base64, optional: Boolean, if set the output is wrapped by a base64 encoding to avoid raw binary data in context. Only available with format DER or PKCS7DER. Ineffective when a template is set, use the template definition instead.