Table of Contents
Advertisement
Chapter 5. Step 4: Migrating Security Databases
13. O pen the
configuration file in the
CS.cfg
14. E dit the
ocsp.signing.certnickname
ocsp.signing.certnickname=ocspSigningCert cert-old_OCSP_instance
NOTE
The
caSigningCert
15. I n the same directory, edit the
nickname. For example:
Server-Cert cert-old_OCSP_instance
3.4. Option 4: HSM to HSM Migration
1. Extract the public/private key pairs from the HSM. The format for the extracted key pairs
should be portable, such as a PKCS #12 file.
The
tool provided by Certificate System cannot extract public/private key pairs
pk12util
from an HSM because of requirements in the FIPS 140-1 standard which protect the private
key. To extract this information, contact the HSM vendor. The extracted keys should not have
any dependencies, such as nickname prefixes, on the HSM.
2. Copy the extracted key pairs from the 7.x server to the 7.3 server.
cp old_server_root/alias/ServerCert.p12
/var/lib/instance_ID/alias/ServerCert.p12
cp old_server_root/alias/ocspSigningCert.p12
/var/lib/instance_ID/alias/ocspSigningCert.p12
3. Extract the public key of the CA signing certificate from the 7.x security databases and save
the base-64 encoded output to a file called
a. Open the Certificate Management System 7.x
cd old_server_root/alias
44
instance_ID
/var/lib/
attribute to reflect the 7.3 OCSP instance.
is not referenced in the
serverCertNick.conf
caSigningCert.b64
/alias
directory.
/conf/
file.
CS.cfg
file to contain the old certificate
.
directory.
Advertisement
Table of Contents
