Skip to content

Downloading certificates, certificate chains, and keystores

You can download both certificates and keystores from TLS Protect Cloud after a certificate has been issued. This can be done using the TLS Protect Cloud or via the API.

Downloading a keystore

Keystore download is available only when the key pair was generated by Venafi.

For information on using the API, see Downloading a certificate.

  1. Sign in to Venafi Control Plane.

  2. Go to Inventory > Certificates to find the certificate you want to download.

    OR

  3. Go to Applications and find the application that the certificate is assigned to. In the certificate's row, click the number in the Certificates column. This opens the certificate inventory filtered on this application's certificates.

  4. Click the checkbox next to the certificates that you want to download.

    1. In the local menu bar, click Download.
    2. Select the Certificate only radio button.
    3. Select the PEM (End entity only) radio button.
    4. Click Download.
    1. In the local menu bar, click Download.
    2. Select the Certificate only radio button.
    3. Select either of the PEM (full chain) options, depending on whether you want the End Entity (EE) or Root certificate listed first in the download.
    4. Click Download.

    Downloading a keystore

    Keystore download is available only when the key pair was generated by TLS Protect Cloud.

    1. In the local menu bar, click Download.
    2. Select the Keystore radio button.
    3. Choose an export format.
    4. Enter a password, which will be used to encrypt the private key.
    5. Optional (for PKCS12): To use the legacy encryption algorithm, select the Use legacy algorithm checkbox.
    6. Click Download.

    Changed behavior

    TLS Protect Cloud now uses a modern encryption algorithm by default when generating keystores in PKCS12 format. Previously, the legacy algorithm was used by default for PKCS12.