$ certutil -L -d .
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
FreeIPA CA CT,C,C
$ certutil -L -d . -a -n ‘FreeIPA CA’ > freeipa.crt
The PEM certificate should now be stored in free-ipa.crt.
To extract the PEM key from key3.db use certutil, pk12util and openssl.
$ certutil -K -d . -a
$ pk12util -o keys.p12 -n ‘FreeIPA Key’ -d .
$ openssl pkcs12 -in keys.p12 -out freeipa.key -nodes