Table of Contents
Advertisement
reflect the 7.3 CA instance.
ca.signing.cacertnickname=caSigningCert cert-old_CA_instance
ca.ocsp_signing.cacertnickname=ocspSigningCert cert-old_CA_instance
13. I f there is CA-DRM connectivity, then also modify the
attribute.
ca.connector.KRA.nickname=caSigningCert cert-old_CA_instance
14. I n the same directory, edit the
nickname. For example:
Server-Cert cert-old_CA_instance
1.4. Option 4: HSM to HSM Migration
1. Extract the public/private key pairs from the HSM. The format for the extracted key pairs
should be portable, such as a PKCS #12 file.
The
tool provided by Certificate System cannot extract public/private key pairs
pk12util
from an HSM because of requirements in the FIPS 140-1 standard which protect the private
key. To extract this information, contact the HSM vendor. The extracted keys should not have
any dependencies, such as nickname prefixes, on the HSM.
2. Copy the extracted key pairs from the 6.x server to the 7.3 server.
cp old_server_root/alias/ServerCert.p12
/var/lib/instance_ID/alias/ServerCert.p12
cp old_server_root/alias/caSigningCert.p12
/var/lib/instance_ID/alias/caSigningCert.p12
cp old_server_root/alias/ocspSigningCert.p12
/var/lib/instance_ID/alias/ocspSigningCert.p12
3. Open the Certificate System
cd /var/lib/instance_ID/alias/
4. Log in as
.
root
5. Set the file user and group to the Certificate System user and group.
serverCertNick.conf
directory.
/alias
ca.connector.KRA.nickname
file to contain the old certificate
Migration
21
Advertisement
Table of Contents
