Skip to content

Downloading certificates, certificate chains, and keystores

You can download both certificates and keystores from TLS Protect Cloud at any point after you have issued a certificate, using either TLS Protect Cloud or the API.

Downloading a keystore

You can only download keystores when TLS Protect Cloud issued the key pair. If another tool generated the key pair, TLS Protect Cloud doesn't have the private key, so it can't generate the keystore to download.

For information on using the API, see Downloading a certificate.

  1. Sign in to Venafi Control Plane.

  2. Find the certificate you want to download by doing either of the following:

    • Go to Inventory > Certificates and use filters to find the certificate you want to download. Or,

    • Go to Applications and find the application that the certificate is assigned to. In the certificate's row, click the number in the Certificates column. This opens the certificate inventory filtered on this application's certificates.

  3. Click the checkbox next to the certificates that you want to download.

    Use the tabs below for the download instructions, depending on whether you want to download the certificate itself, the certificate chain, or the keystore (if it's available)

    1. In the local menu bar, click Download.
    2. Select the Certificate only radio button.
    3. Select the PEM (End entity only) radio button.
    4. Click Download.
    1. In the local menu bar, click Download.
    2. Select the Certificate only radio button.
    3. Select either of the PEM (full chain) options, depending on whether you want the End Entity (EE) or Root certificate listed first in the download.
    4. Click Download.

    Downloading a keystore

    Keystore download is available only when TLS Protect Cloud generated the key pair. When TLS Protect Cloud generates the key pair, it has access to the private key. If another system generated the key pair, TLS Protect Cloud doesn't have access to the private key, so it can't generate the keystore.

    1. In the local menu bar, click Download.
    2. Select the Keystore radio button.
    3. Choose an export format.
    4. Enter a password, which will be used to encrypt the private key.

    5. Optional (for PKCS12): To use the legacy encryption algorithm, select the Use legacy algorithm checkbox.

      Changed behavior

      TLS Protect Cloud now uses a modern encryption algorithm by default when generating keystores in PKCS12 format. Previously, the legacy algorithm was used by default for PKCS12.

    6. Click Download.