Started using EJBCA Community Edition and I'm fairly happy with it although a bit overkill for my needs. I would like to back up the private keys for my Root and Issuer CA in case I later decide for a different tool or to simply do this with openssl instead.
I'm reading that I can use
$ ejbca.sh ca exportca SomeCA SomeCA.p12
to get the private key.
However I'm getting an exception:
org.cesecore.keys.token.PrivateKeyNotExtractableException: Crypto Token 2750234253 does not allow to extract private keys.
How can I get my private keys?
For soft crypto tokens you can go into the Admin UI->Crypto Tokens. Select your crypto token, click "switch to edit mode", check the checkbox "Allow export of private keys" and save. Now you can export the keys.