5 files changed, 58 insertions, 4 deletions

diff --git a/base/common/python/pki/nssdb.py b/base/common/python/pki/nssdb.py
index 503bd412b..30b1d4793 100644
--- a/base/common/python/pki/nssdb.py
+++ b/base/common/python/pki/nssdb.py
@@ -545,6 +545,9 @@ class NSSDatabase(object):
                       pkcs12_password_file=None,
                       nicknames=None,
                       append=False,
+                      include_trust_flags=True,
+                      include_key=True,
+                      include_chain=True,
                       debug=False):
 
         tmpdir = tempfile.mkdtemp()
@@ -580,6 +583,15 @@ class NSSDatabase(object):
             if append:
                 cmd.extend(['--append'])
 
+            if not include_trust_flags:
+                cmd.extend(['--no-trust-flags'])
+
+            if not include_key:
+                cmd.extend(['--no-key'])
+
+            if not include_chain:
+                cmd.extend(['--no-chain'])
+
             if debug:
                 cmd.extend(['--debug'])
 
diff --git a/base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12ExportCLI.java b/base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12ExportCLI.java
index 728a9efd1..08a0850ff 100644
--- a/base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12ExportCLI.java
+++ b/base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12ExportCLI.java
@@ -150,7 +150,7 @@ public class PKCS12ExportCLI extends CLI {
 
             if (nicknames.length == 0) {
                 // load all certificates
-                util.loadFromNSS(pkcs12);
+                util.loadFromNSS(pkcs12, includeKey, includeChain);
 
             } else {
                 // load the specified certificates
diff --git a/base/server/python/pki/server/cli/instance.py b/base/server/python/pki/server/cli/instance.py
index 4eeee5d60..7520b32b8 100644
--- a/base/server/python/pki/server/cli/instance.py
+++ b/base/server/python/pki/server/cli/instance.py
@@ -77,6 +77,9 @@ class InstanceCertExportCLI(pki.cli.CLI):
         print('      --pkcs12-password <password>   Password for the PKCS #12 file.')
         print('      --pkcs12-password-file <path>  Input file containing the password for the PKCS #12 file.')
         print('      --append                       Append into an existing PKCS #12 file.')
+        print('      --no-trust-flags               Do not include trust flags')
+        print('      --no-key                       Do not include private key')
+        print('      --no-chain                     Do not include certificate chain')
         print('  -v, --verbose                      Run in verbose mode.')
         print('      --debug                        Run in debug mode.')
         print('      --help                         Show help message.')
@@ -88,7 +91,8 @@ class InstanceCertExportCLI(pki.cli.CLI):
             opts, args = getopt.gnu_getopt(argv, 'i:v', [
                 'instance=',
                 'pkcs12-file=', 'pkcs12-password=', 'pkcs12-password-file=',
-                'append', 'verbose', 'debug', 'help'])
+                'append', 'no-trust-flags', 'no-key', 'no-chain',
+                'verbose', 'debug', 'help'])
 
         except getopt.GetoptError as e:
             print('ERROR: ' + str(e))
@@ -102,6 +106,9 @@ class InstanceCertExportCLI(pki.cli.CLI):
         pkcs12_password = None
         pkcs12_password_file = None
         append = False
+        include_trust_flags = True
+        include_key = True
+        include_chain = True
         debug = False
 
         for o, a in opts:
@@ -120,6 +127,15 @@ class InstanceCertExportCLI(pki.cli.CLI):
             elif o == '--append':
                 append = True
 
+            elif o == '--no-trust-flags':
+                include_trust_flags = False
+
+            elif o == '--no-key':
+                include_key = False
+
+            elif o == '--no-chain':
+                include_chain = False
+
             elif o in ('-v', '--verbose'):
                 self.set_verbose(True)
 
@@ -154,6 +170,9 @@ class InstanceCertExportCLI(pki.cli.CLI):
                 pkcs12_password_file=pkcs12_password_file,
                 nicknames=nicknames,
                 append=append,
+                include_trust_flags=include_trust_flags,
+                include_key=include_key,
+                include_chain=include_chain,
                 debug=debug)
         finally:
             nssdb.close()
diff --git a/base/server/python/pki/server/cli/subsystem.py b/base/server/python/pki/server/cli/subsystem.py
index fe395aad6..03d48f926 100644
--- a/base/server/python/pki/server/cli/subsystem.py
+++ b/base/server/python/pki/server/cli/subsystem.py
@@ -465,6 +465,9 @@ class SubsystemCertExportCLI(pki.cli.CLI):
         print('      --pkcs12-password <password>   Password for the PKCS #12 file.')
         print('      --pkcs12-password-file <path>  Input file containing the password for the PKCS #12 file.')
         print('      --append                       Append into an existing PKCS #12 file.')
+        print('      --no-trust-flags               Do not include trust flags')
+        print('      --no-key                       Do not include private key')
+        print('      --no-chain                     Do not include certificate chain')
         print('  -v, --verbose                      Run in verbose mode.')
         print('      --debug                        Run in debug mode.')
         print('      --help                         Show help message.')
@@ -476,7 +479,8 @@ class SubsystemCertExportCLI(pki.cli.CLI):
             opts, args = getopt.gnu_getopt(argv, 'i:v', [
                 'instance=', 'cert-file=', 'csr-file=',
                 'pkcs12-file=', 'pkcs12-password=', 'pkcs12-password-file=',
-                'append', 'verbose', 'debug', 'help'])
+                'append', 'no-trust-flags', 'no-key', 'no-chain',
+                'verbose', 'debug', 'help'])
 
         except getopt.GetoptError as e:
             print('ERROR: ' + str(e))
@@ -497,6 +501,9 @@ class SubsystemCertExportCLI(pki.cli.CLI):
         pkcs12_password = None
         pkcs12_password_file = None
         append = False
+        include_trust_flags = True
+        include_key = True
+        include_chain = True
         debug = False
 
         for o, a in opts:
@@ -521,6 +528,15 @@ class SubsystemCertExportCLI(pki.cli.CLI):
             elif o == '--append':
                 append = True
 
+            elif o == '--no-trust-flags':
+                include_trust_flags = False
+
+            elif o == '--no-key':
+                include_key = False
+
+            elif o == '--no-chain':
+                include_chain = False
+
             elif o in ('-v', '--verbose'):
                 self.set_verbose(True)
 
@@ -591,6 +607,9 @@ class SubsystemCertExportCLI(pki.cli.CLI):
                     pkcs12_password_file=pkcs12_password_file,
                     nicknames=nicknames,
                     append=append,
+                    include_trust_flags=include_trust_flags,
+                    include_key=include_key,
+                    include_chain=include_chain,
                     debug=debug)
 
             finally:
diff --git a/base/util/src/netscape/security/pkcs/PKCS12Util.java b/base/util/src/netscape/security/pkcs/PKCS12Util.java
index 43435c822..571ee1881 100644
--- a/base/util/src/netscape/security/pkcs/PKCS12Util.java
+++ b/base/util/src/netscape/security/pkcs/PKCS12Util.java
@@ -239,6 +239,10 @@ public class PKCS12Util {
     }
 
     public void loadFromNSS(PKCS12 pkcs12) throws Exception {
+        loadFromNSS(pkcs12, true, true);
+    }
+
+    public void loadFromNSS(PKCS12 pkcs12, boolean includeKey, boolean includeChain) throws Exception {
 
         logger.info("Loading all certificate and keys from NSS database");
 
@@ -247,7 +251,7 @@ public class PKCS12Util {
         CryptoStore store = token.getCryptoStore();
 
         for (X509Certificate cert : store.getCertificates()) {
-            loadCertFromNSS(pkcs12, cert, true, true);
+            loadCertFromNSS(pkcs12, cert, includeKey, includeChain);
         }
     }