Red Hat CERTIFICATE SYSTEM 7.0 - MIGRATION GUIDE Manual page 36

Chapter 5. Step 4: Migrating Security Databases
key. To extract this information, contact the HSM vendor. The extracted keys should not have
any dependencies, such as nickname prefixes, on the HSM.
2. Copy the extracted key pairs from the 7.x server to the 7.3 server.
cp old_server_root/alias/ServerCert.p12
/var/lib/instance_ID/alias/ServerCert.p12
cp old_server_root/alias/kraStorageCert.p12
/var/lib/instance_ID/alias/kraStorageCert.p12
cp old_server_root/alias/kraTransportCert.p12
/var/lib/instance_ID/alias/kraTransportCert.p12
3. Extract the public key of the CA signing certificate from the 7.x security databases and save
the base-64 encoded output to a file called
a. Open the Certificate Management System 7.x
cd old_server_root/alias
b. Set the
LD_LIBRARY_PATH
LD_LIBRARY_PATH=old_server_root/bin/cert/lib
export LD_LIBRARY_PATH
c. Use the Certificate Management System 7.x
name.
old_server_root/bin/cert/tools/certutil -U -d .
d. Use the Certificate Management System 7.x
the security databases and save the base-64 output to a file.
old_server_root/bin/cert/tools/certutil -L
-n "old_HSM_slot_name:caSigningCert cert-old_DRM_instance"
-d . -h old_HSM_token_name -a > caSigningCert.b64
e. Copy the key information from the 7.x server to the 7.3 server.
cp old_server_root/alias/caSigningCert.b64
/var/lib/instance_ID/alias/caSigningCert.b64
30
caSigningCert.b64
/alias
environment variable to search the Certificate System libraries.
certutil
certutil
.
directory.
tool to identify the old HSM slot
tool to extract the public key from