Knowledge Base

How to export PKCS#12 file from the keystore of SCM Network Agent? 

Network Agent Keystore Operations Reference 

Overview: 
This document provides technical steps and command references for locating the Network Agent keystore and exporting certificates, converting keystores, and generating private keys and PFX bundles. 

 

Section 1: Keystore File Location 

Windows 

C:\ProgramData\Sectigo\Network Agent\ks 
  

Linux 

/var/opt/sectigo-network-agent/ks 
 
 

Section 2: Commands Overview 

• Export certificate from a JKS keystore by alias 
  Uses keytool -exportcert 

• Convert JKS keystore to PKCS#12 (.p12) 
  Uses keytool -importkeystore 

• Extract private key (PEM) from PKCS#12 (.p12) keystore 
  Uses openssl pkcs12 -nocerts -nodes 

• Create a PFX bundle from certificate and private key 
  Uses openssl pkcs12 -export 

 

Section 3: Parameters (Common) 

Parameter	Type	Required	Description
-alias	String	Yes	The alias name of the certificate/key entry inside the keystore.
-file	Path	Yes	Output file path for exported certificate.
-keystore	Path	Yes	Input keystore file (e.g., keystore.jks).
-srckeystore	Path	Yes	Source keystore path for conversion.
-destkeystore	Path	Yes	Destination keystore path for conversion (e.g., keystore.p12).
-deststoretype	Enum	Yes	Destination keystore type, e.g., PKCS12.
-in	Path	Yes	Input file path (for openssl, the source .p12 or certificate file).
-inkey	Path	Yes	Private key file to include in PFX export.
-out	Path	Yes	Output file path (PEM or PFX).
-nocerts	Flag	No	When set, excludes certificates, exporting private key only.
-nodes	Flag	No	When set, disables encryption for private key output (PEM).
Keystore password	Secret	Often	Password for source/destination keystores (prompted interactively if not provided).

Note: Commands may prompt for keystore and key passwords interactively if not passed on the command line. 

 

Section 4: Example Commands 

4.1 Export the certificate from the JKS keystore by alias 

keytool -exportcert \ 
 

-alias <alias_name_for_cert> \ 
 

-file <yourfile.crt> \ 
 

-keystore <keystore.jks> 
 

Example 

keytool -exportcert -alias agent-cert -file agent.crt -keystore ks/keystore.jks 
 

 

4.2 Convert JKS keystore to PKCS#12 (.p12) 

keytool -importkeystore \ 
 

-srckeystore <keystore.jks> \ 
 

-destkeystore <keystore.p12> \ 
 

-deststoretype PKCS12 
 

Example 

keytool -importkeystore -srckeystore ks/keystore.jks -destkeystore ks/keystore.p12 -deststoretype PKCS12 
 

4.3 Generate a private key (PEM) from the PKCS#12 keystore 

openssl pkcs12 -in <keystore.p12> -nocerts -nodes -out <privatekey.pem> 
 

Example 

openssl pkcs12 -in ks/keystore.p12 -nocerts -nodes -out agent-privatekey.pem 
 

Security Note: -nodes write the private key unencrypted in PEM format. Store and transmit securely. If you want an encrypted private key, omit -nodes and set a passphrase when prompted. 

 

4.4 Generate a PFX bundle from the certificate and private key 

openssl pkcs12 -export \ 
 

-out <cert.pfx> \ 
 

-inkey <privatekey.pem> \ 
 

-in <yourfile.crt> 
 

Example 

openssl pkcs12 -export -out agent.pfx -inkey agent-privatekey.pem -in agent.crt 
 

Tip: If you also have an intermediate/chain certificate, include it with -certfile <chain.crt> to produce a full chain PFX: 

openssl pkcs12 -export -out agent.pfx -inkey agent-privatekey.pem -in agent.crt -certfile chain.crt 
 

 

Section 5: Notes & Best Practices 

• Permissions: On Linux, ensure appropriate permissions on /var/opt/sectigo-network-agent/ks and protect private keys (chmod 600). 

• Backups: Always back up keystores before conversion or extraction. 

• Alias discovery: To list entries and find aliases in a JKS:  

 
keytool -list -v -keystore <keystore.jks> 
 

• Certificate format: keytool -exportcert may produce DER by default; add -rfc to output PEM-formatted certificate if needed:  

 
keytool -exportcert -rfc -alias <alias> -file <yourfile.crt> -keystore <keystore.jks>