Red Hat CERTIFICATE SYSTEM 6.0 - MIGRATION GUIDE Manual page 24

Chapter 5. Step 4: Migrating Security Databases
14. I mport the public/private key pairs of each entry from the PKCS #12 files into the new HSM.
pk12util -i ServerCert.p12 -d . -h new_HSM_slot_name
Enter Password or Pin for "new_HSM_slot_name":********
Enter password for PKCS12 file: ********
pk12util: PKCS12 IMPORT SUCCESSFUL
pk12util -i caSigningCert.p12 -d . -h new_HSM_slot_name
Enter Password or Pin for "new_HSM_slot_name":********
Enter password for PKCS12 file: ********
pk12util: PKCS12 IMPORT SUCCESSFUL
pk12util -i ocspSigningCert.p12 -d . -h new_HSM_slot_name
Enter Password or Pin for "new_HSM_slot_name":********
Enter password for PKCS12 file: ********
pk12util: PKCS12 IMPORT SUCCESSFUL
15. O ptionally, delete the PKCS #12 files.
rm ServerCert.p12
rm caSigningCert.p12
rm ocspSigningCert.p12
16. S et the trust bits on the public/private key pairs that were imported into the new HSM.
certutil -M -n "new_HSM_slot_name:Server-Cert cert-old_CA_instance"
-t "cu,cu,cu" -d . -h new_HSM_token_name
certutil -M -n "new_HSM_slot_name:caSigningCert cert-old_CA_instance"
-t "CTu,CTu,CTu" -d . -h new_HSM_token_name
certutil -M -n "new_HSM_slot_name:ocspSigningCert cert-old_CA_instance"
-t "CTu,Cu,Cu" -d . -h new_HSM_token_name
17. O pen the configuration file in the
CS.cfg
18. E dit the
ca.signing.cacertnickaname
to reflect the 7.3 CA instance.
ca.signing.cacertnickname=new_HSM_slot_name:caSigningCert
cert-old_CA_instance
ca.ocsp_signing.cacertnickname=new_HSM_slot_name:ocspSigningCert
cert-old_CA_instance
19. I f there is CA-DRM connectivity, then also modify the
attribute.
18
instance_ID
/var/lib/
and
ca.ocsp_signing.cacertnickname
ca.connector.KRA.nickname
directory.
/conf/
attributes