Table of Contents
Advertisement
rm ServerCert.p12
rm caSigningCert.p12
rm ocspSigningCert.p12
rm subsystemCert.p12
12. S et the trust bits on the public/private key pairs that were imported into the new HSM.
certutil -M -n "new_HSM_slot_name:Server-Cert cert-old_CA_instance"
-t "cu,cu,cu" -d . -h new_HSM_token_name
certutil -M -n "new_HSM_slot_name:caSigningCert cert-old_CA_instance"
-t "CTu,CTu,CTu" -d . -h new_HSM_token_name
certutil -M -n "new_HSM_slot_name:ocspSigningCert cert-old_CA_instance"
-t "CTu,Cu,Cu" -d . -h new_HSM_token_name
certutil -M -n "new_HSM_slot_name:subsystemCert cert-old_CA_instance"
-t "cu,cu,cu" -d . -h new_HSM_token_name
13. O pen the
configuration file in the
CS.cfg
14. E dit the
ca.signing.cacertnickname
the 7.3 CA instance.
ca.signing.cacertnickname=new_HSM_slot_name:caSigningCert
cert-old_CA_instance
ca.ocsp_signing.cacertnickname=new_HSM_slot_name:ocspSigningCert
cert-old_CA_instance
15. I f there is CA-DRM connectivity, then also modify the
attribute.
ca.connector.KRA.nickname=new_HSM_slot_name:caSigningCert
cert-old_CA_instance
16. I n the same directory, edit the
nickname. For example:
new_HSM_slot_name:Server-Cert cert-old_CA_instance
2. Data Recovery Manager (DRM) Migration
Data Recovery Manager (DRM) Migration
instance_ID
/var/lib/
and
ca.ocsp_cacertnickname
serverCertNick.conf
directory.
/conf/
attributes to reflect
ca.connector.KRA.nickname
file to contain the old certificate
23
Advertisement
Table of Contents
