Option 4: Hsm To Hsm Migration - Red Hat CERTIFICATE SYSTEM 7.0 - MIGRATION GUIDE Manual

2.4. Option 4: HSM to HSM Migration

1. Extract the public/private key pairs from the HSM. The format for the extracted key pairs
should be portable, such as a PKCS #12 file.
The tool provided by Certificate System cannot extract public/private key pairs
pk12util
from an HSM because of requirements in the FIPS 140-1 standard which protect the private
key. To extract this information, contact the HSM vendor. The extracted keys should not have
any dependencies, such as nickname prefixes, on the HSM.
2. Copy the extracted key pairs from the 7.x server to the 7.3 server.
cp old_server_root/alias/ServerCert.p12
/var/lib/instance_ID/alias/ServerCert.p12
cp old_server_root/alias/kraStorageCert.p12
/var/lib/instance_ID/alias/kraStorageCert.p12
cp old_server_root/alias/kraTransportCert.p12
/var/lib/instance_ID/alias/kraTransportCert.p12
3. Extract the public key of the CA signing certificate from the 7.x security databases and save
the base-64 encoded output to a file called
a. Open the Certificate Management System 7.x
cd old_server_root/alias
b. Set the
LD_LIBRARY_PATH
LD_LIBRARY_PATH=old_server_root/bin/cert/lib
export LD_LIBRARY_PATH
c. Use the Certificate Management System 7.x
name.
old_server_root/bin/cert/tools/certutil -U -d .
d. Use the Certificate Management System 7.x
the security databases and save the base-64 output to a file.
old_server_root/bin/cert/tools/certutil -L
-n "old_HSM_slot_name:caSigningCert cert-old_DRM_instance"
-d . -h old_HSM_token_name -a > caSigningCert.b64
caSigningCert.b64
/alias
environment variable to search the Certificate System libraries.
certutil
certutil
Option 4: HSM to HSM Migration
.
directory.
tool to identify the old HSM slot
tool to extract the public key from
33