# Get HSM partition certificates using AWS CloudHSM KMU
Use the **getCert** command in the AWS CloudHSM key\$1mgmt\$1util to retrieve a hardware security module's (HSM) partition certificates and saves them to a file. When you run the command, you designate the type of certificate to retrieve. To do that, you use one of the corresponding integers as described in the [Parameters](#kmu-getCert-parameters) section that follows. To learn about the role of each of these certificates, see [Verify HSM Identity](verify-hsm-identity.md).
Before you run any key\$1mgmt\$1util command, you must [start key\$1mgmt\$1util](key_mgmt_util-setup.md#key_mgmt_util-start) and [log in](key_mgmt_util-log-in.md) to the HSM as a crypto user (CU).
## Syntax
```
getCert -h
getCert -f
-t
```
## Example
This example shows how to use **getCert** to retrieve a cluster's customer root certificate and save it as a file.
**Example : Retrieve a customer root certificate**
This command exports a customer root certificate (represented by integer `4`) and saves it to a file called `userRoot.crt`. When the command succeeds, **getCert** returns a success message.
```
Command: getCert -f userRoot.crt -s 4
Cfm3GetCert() returned 0 :HSM Return: SUCCESS
```
## Parameters
This command takes the following parameters.
**`-h`**
Displays command line help for the command.
Required: Yes
**`-f`**
Specifies the name of the file to which the retrieved certificate will be saved.
Required: Yes
**-s**
An integer that specifies the type of partition certificate to retrieve. The integers and their corresponding certificate types are as follows:
+ **1** – Manufacturer root certificate
+ **2** – Manufacturer hardware certificate
+ **4** – Customer root certificate
+ **8** – Cluster certificate (signed by customer root certificate)
+ **16** – Cluster certificate (chained to the manufacturer root certificate)
Required: Yes
## Related topics
+ [Verify HSM Identity](verify-hsm-identity.md)