getCert - AWS CloudHSM


The getCert command in key_mgmt_util retrieves an HSM's partition certificates and saves them to a file. When you run the command, you designate the type of certificate to retrieve. To do that, you use one of the corresponding integers as described in the Parameters section that follows. To learn about the role of each of these certificates, see Verify HSM Identity.

Before you run any key_mgmt_util command, you must start key_mgmt_util and log in to the HSM as a crypto user (CU).


getCert -h getCert -f <file-name> -t <certificate-type>


This example shows how to use getCert to retrieve a cluster's customer root certificate and save it as a file.

Example : Retrieve a customer root certificate

This command exports a customer root certificate (represented by integer 4) and saves it to a file called userRoot.crt. When the command succeeds, getCert returns a success message.

Command: getCert -f userRoot.crt -s 4 Cfm3GetCert() returned 0 :HSM Return: SUCCESS


This command takes the following parameters.


Displays command line help for the command.

Required: Yes


Specifies the name of the file to which the retrieved certificate will be saved.

Required: Yes


An integer that specifies the type of partition certificate to retrieve. The integers and their corresponding certificate types are as follows:

  • 1 – Manufacturer root certificate

  • 2 – Manufacturer hardware certificate

  • 4 – Customer root certificate

  • 8 – Cluster certificate (signed by customer root certificate)

  • 16 – Cluster certificate (chained to the manufacturer root certificate)

Required: Yes

Related topics