Downloading certificates, private keys, and root chains

You can download the certificate, private key, and root chain from the Trust Protection Platform database so you can manually install them on your servers.

  1. From the TLS Protect menu bar, click click Inventory > Certificates.

    TIP  You can also access the Download option from a specific certificate's Details page.

  2. In the certificate list, find the certificate you want to download.

  3. Choose one of the following:

    • From the certificate list, click Download using the action button.

    • Click the certificate's Nickname to open its details page, and then click > Download.

  1. From the Format list, select the format you want to use for the download.

    • PEM (PKCS#8)
    • PEM (OpenSSL)
    • DER
    • PKCS#7

    • PKCS#12

    • Java Keystore (JKS)

      If PKCS#12 isn't listed it could be due to one or more of the following reasons:

      • the user doesn't have Private Key Read permission

      • the certificate doesn't have a private key

      • the certificate was enrolled with a User Provided CSR

      • the certificate was found during the Discovery process

        PKCS#12 requires the private key to be available. If Trust Protection Platform does not have the private key or if the user does not have permissions to download the private key, PKCS#12 will not be a download option.

    (Optional) If you select Base64 (OpenSSL) or PKCS#12 formats, you can configure the Friendly name, which will be used as the alias for the certificate.

    (Optional) If you select PKCS#12 format, you can define a password. It will be required to access the downloaded certificate and private key.

  2. Enter names and passwords as needed.
  3. Click Download.
  4. Follow the onscreen prompts to download and install the certificate.

  1. Log in to Policy Tree.

    IMPORTANT  You must have view and read permissions to the Certificate object to download the certificate or root chain. You must have the private key read permission to the Certificate object to download a private key.

  2. From the Tree drop-down menu, select the Policy tree.
  3. In the Policy tree, select the Certificate object from which you are going to download the certificate and private key.
  4. Do one of the following:
    • Click the Certificate > Settings tab.
    • Click the Certificate > History tab.

    • Click Download.

  5. The Download Certificate dialog appears.

  6. (Optional) To include the private key with the certificate download, select Include Private Key.
  7. (Optional) To include the certificate’s associated root and intermediate root certificates, select Include Root Chain.

  8. Designate the format in which you want to save the certificate files.

    • Base64 (PKCS#8)
    • Base64 (OpenSSL)
    • DER
    • PKCS#7
    • PKCS#12

    • Java Keystore (JKS)

      If PKCS#12 isn't listed it could be due to one or more of the following reasons:

      • the user doesn't have Private Key Read permission

      • the certificate doesn't have a private key

      • the certificate was enrolled with a User Provided CSR

      • the certificate was found during the Discovery process

        PKCS#12 requires the private key to be available. If Trust Protection Platform does not have the private key or if the user does not have permissions to download the private key, PKCS#12 will not be a download option.

      (Optional) If you select the Base64 (OpenSSL) or PKCS#12 formats, you can configure the Friendly name, which will be used as the alias for the certificate.

      (Optional) If you select PKCS#12 format, you can define a password. It will be required to access the downloaded certificate and private key.

  9. Click Download.
  10. In the File Download dialog, click Save, then browse to the Directory where you want to save the file.

  11. Click Save to save the file.

    Trust Protection Platform downloads the certificate and, optionally, the private key and root chain, from the Trust Protection Platform database. You can now use the download file to install the certificate, private key, and root chain on your encryption system servers.