getCert - AWS CloudHSM


With the getCert command in cloudhsm_mgmt_util, you can retrieve the certificates of a particular HSM in a cluster. When you run the command, you designate the type of certificate to retrieve. To do that, you use one of the corresponding integers as described in the Arguments section below. To learn about the role of each of these certificates, see Verify HSM Identity.

Before you run any CMU command, you must start CMU and log in to the HSM. Be sure that you log in with a user type that can run the commands you plan to use.

If you add or delete HSMs, update the configuration files for CMU. Otherwise, the changes that you make might not be effective for all HSMs in the cluster.

User type

The following users can run this command.

  • All users.


Before you begin, you must enter server mode on the target HSM. For more information, see server.


To use the getCert command once in server mode:

server> getCert <file-name> <certificate-type>


First, enter server mode. This command enters server mode on an HSM with server number 0.

aws-cloudhsm> server 0 Server is in 'E2' mode...

Then, use the getCert command. In this example, we use /tmp/PO.crt as the name of the file to which the certificate will be saved and 4 (Customer Root Certificate) as the desired certificate type:

server0> getCert /tmp/PO.crt 4 getCert Success


getCert <file-name> <certificate-type>

Specifies the name of the file to which the certificate is saved.

Required: Yes


An integer that specifies the type of certificate to retrieve. The integers and their corresponding certificate types are as follows:

  • 1 – Manufacturer Root Certificate

  • 2 – Manufacturer Hardware Certificate

  • 4 – Customer Root Certificate

  • 8 – Cluster Certificate (signed by Customer Root Certificate)

  • 16 – Cluster Certificate (chained to the Manufacturer Root Certificate)

Required: Yes

Related topics