Exporting credentials to a file

You can export the credentials in a TLS Credentials document to a file.

About this task

To export credentials to a file, you must have selected the option Create exportable key at the time you created the certificates through certstore.nsf. If you imported an existing credentials from a file into certstore, you must have selected the option Import TLS credentials - exportable. In either case, you specified a password which you need to provide in this procedure to export the credentials.


  1. To export credentials to a file, open the TLS Credentials document that has the credentials to export.
  2. At the top of the document, click Export TLS Credentials. If you don't see this option, the credentials were not created or imported to allow this functionality.
  3. In the Format field, select one of the following encryption formats:
    • PKCS12 - Binary encoded X.509 (P12/PFX)
    • Base64 encoded X.509 (PEM, AES256 encrypted)

    Exporting credentials to a PEM or PKCS#12 file, uses the newer PBES2 with 256 bit AES, 4096 iterations, and HMAC-SHA2, by default, in accordance with current best practices.

    If you need to export PKCS#12 formatted credentials for use with a pre-12.0.1 version of Notes or Domino or a different product that does not support PKCS#12 files that are encrypted with AES, use the following notes.ini setting on the Notes client that you use to run certstore.nsf: PKCS12_EXPORT_LEGACY=1. This setting downgrades all of the PKCS#12 files exported to use SHA-1 and 3DES instead of SHA-2 and AES-256. An example of a product that does not currently support PKCS#12 files encrypted with AES is HCL Sametime V11.

  4. In the File name field, specify the path for the exported file.
  5. In the Friendly name field, specify an optional descriptive name.
  6. In the Current password field, specify the password you provided when you allowed the credentials to be exported.
  7. In the New password and Verify password fields, provide a new password for the exported file.