[ Bottom of Page | Previous Page | Next Page | Contents | Index | Library Home | Legal | Search ]

Commands Reference, Volume 3

keyadd Command


keyadd retrieves objects from the source keystore and adds them to the destination keystore.


keyadd [-S servicename] -l label -s source_keystore [-d destination_keystore] [username]


The keyadd command retrieves the objects named by label from the source keystore and adds them to the destination keystore. In a keystore, a user may have the private key, public key and the certificate stored using the same label. All objects matching a label are copied regardless of the object type. If an object with the same label already exists in the destination keystore, the command returns an error. This forces the user to explicitly remove an existing object instead of blindly destroying it.

Attention: Generally, there is no way to recover a destroyed object.

The -S option specifies which end-entity services and libraries to use while adding the objects from the keystore. Available services are defined in /usr/lib/security/pki/ca.cfg. When invoked without -S, keydelete will use the default service, which is local. It is an error to specify a servicename which does not have an entry in the /usr/lib/security/ pki/ca.cfg file.

The -l option must be specified. This label uniquely identifies an object in the keystore to be copied. The -s option must also be specified.

If the -d option is not given, the username's default keystore file will be used as the destination keystore The user's default keystore location is /var/pki/security/keys/<username>.

If no username is given, the currend user's username will be used. The user will be prompted for the password of the destination keystore and the source keystore. If the destination keystore does not exist, one will be created and the user will be asked to enter the destination keystore password again for confirmation.


-S servicename Specifies which service module to use.
-l label Specifies the label associated with the key to be added.
-s source_keystore Species the location of the source destination keystore.
-d destination_keystore Specifies the location of the destination keystore.

Exit Status

0 The command completed successfully.
>0 An error occurred.


This is a setuid command. In order to list the contents of a keystore the user must know the password of the private keystore.

Root and invokers belonging to group security are allowed to list anybody's keystore. However, they can only successfully complete this operation if they know the password to the keystore. A non-privileged user is only allowed to list the keystore that he owns.


This command records the following event information:

KEY_Add <username>


To copy a keystore object labeled as label from /var/pki/security/keys/src.keystore to /var/pki/security/keys/dst.keystore, enter:

$ keyadd -s /var/pki/security/keys/src.keystore -d /var/pki/ 
security/keys/dst.keystore -l label pkitest




Related Information

The certadd, certcreate, certdelete, certget, certlink, certlist, certrevoke, certverify, keydelete, keylist, keypasswd and mksecpki commands.

[ Top of Page | Previous Page | Next Page | Contents | Index | Library Home | Legal | Search ]