Red Hat CERTIFICATE SYSTEM 7.0 - MIGRATION GUIDE Manual page 25

The tool provided by Certificate System cannot extract public/private key pairs
pk12util
from an HSM because of requirements in the FIPS 140-1 standard which protect the private
key. To extract this information, contact the HSM vendor. The extracted keys should not have
any dependencies, such as nickname prefixes, on the HSM.
2. Copy the extracted key pairs from the 7.x server to the 7.3 server.
cp old_server_root/alias/ServerCert.p12
/var/lib/instance_ID/alias/ServerCert.p12
cp old_server_root/alias/caSigningCert.p12
/var/lib/instance_ID/alias/caSigningCert.p12
cp old_server_root/alias/ocspSigningCert.p12
/var/lib/instance_ID/alias/ocspSigningCert.p12
cp old_server_root/alias/subsystemCert.p12
/var/lib/instance_ID/alias/subsystemCert.p12
3. Open the Certificate System
cd /var/lib/instance_ID/alias/
4. Log in as .
root
5. Set the file user and group to the Certificate System user and group.
# chown user:group ServerCert.p12
# chown user:group caSigningCert.p12
# chown user:group ocspSigningCert.p12
# chown user:group subsystemCert.p12
6. Log out as , and log back into the system as the Certificate System user.
root
7. Set the file permissions.
chmod 00600 ServerCert.p12
chmod 00600 caSigningCert.p12
chmod 00600 ocspSigningCert.p12
chmod 00600 subsystemCert.p12
8. Import the public/private key pairs of each entry from the PKCS #12 files into the 7.3 security
directory.
/alias
Option 3: HSM to Security Databases
19