I can't extract private keys from EJBCA Community Edition - PrivateKeyNotExtractableException

Question

Started using EJBCA Community Edition and I'm fairly happy with it although a bit overkill for my needs. I would like to back up the private keys for my Root and Issuer CA in case I later decide for a different tool or to simply do this with openssl instead.

I'm reading that I can use

$ ejbca.sh ca exportca SomeCA SomeCA.p12

to get the private key.

However I'm getting an exception:

org.cesecore.keys.token.PrivateKeyNotExtractableException: Crypto Token 2750234253 does not allow to extract private keys.

How can I get my private keys?

Answer 1

This is probably because you didn't tick the Allow export of private keys option when you created your Crypto Token.

Assuming you've not used a Hardware Crypto Token (such as a HSM), then in theory, as the private key is stored somewhere on your CA, it should be accessible if you apply enough effort and skill to it.

As you're only starting up, I'd suggest you create a new Crypto Token and therefore new keys/certificates unfortunately, with the above option ticked; or alternatively, create the replacement keys and Root certificate with OpenSSL and import them into EJBCA. That way you'll have a backup without needing to export.

Answer 2

For soft crypto tokens you can go into the Admin UI->Crypto Tokens. Select your crypto token, click "switch to edit mode", check the checkbox "Allow export of private keys" and save. Now you can export the keys.