I don't think there is any way to do this. I wanted to provide it in JSS to implement the JCA KeyFactory class, but Bob Relyea said he didn't want to support this functionality because there is no legitimate reason for doing it.
Private keys can be extracted if they are first wrapped with a symmetric key; this is the usual way of moving a private key from one place to another. Patrick wrote: >If I use PK11_GenerateKeyPair with isPerm and isSensitive parameters set to >FALSE, then I understand that the key is extractable (not tied to a token): >how does one then extract the actual private key value from the object >returned, which is of type SECKEYPrivateKey? > >-- POC > >
