Table of Contents
Advertisement
Chapter 5. Step 4: Migrating Security Databases
and tks_master_key_version_name are set.
NOTE
The
caSigningCert
30. I n the same directory, edit the
nickname. For example:
new_HSM_slot_name:Server-Cert cert-old_TKS_instance
4.3. Option 3: HSM to Security Databases Migration
1. Extract the public/private key pairs from the HSM. The format for the extracted key pairs
should be portable, such as a PKCS #12 file.
The
tool provided by Certificate System cannot extract public/private key pairs
pk12util
from an HSM because of requirements in the FIPS 140-1 standard which protect the private
key. To extract this information, contact the HSM vendor. The extracted keys should not have
any dependencies, such as nickname prefixes, on the HSM.
2. Log into the 7.x server as the Certificate System user for that machine.
3. Migrate the master key from the 7.x TKS instance. (Depending on your installation, there may
not be any master key information stored in the 7.x TKS instance.)
a. Open the Certificate System 7.x configuration file.
• If the migration is from Certificate Management System 7.0, open the
directory.
config
• If the migration is from Certificate System 7.1, open the
System
config
• If the migration is from Certificate System 7.2, open the
System
/var/lib/
b. Write down the exact name-value pair for the
tks_master_key_version_number
old_HSM_slot_name:tks_master_key_version_name line. A
like the following:
tks.mk_mappings.#02#01=mu:tks_master_key_v2
54
is not referenced in the
serverCertNick.conf
directory.
instance_ID
directory.
/conf
#01=
file.
CS.cfg
file to contain the old certificate
file in the Certificate
CS.cfg
file in the Certificate
CS.cfg
tks.mk_mappings.#
tks.mk_mappings
in the
CMS.cfg
value looks
Advertisement
Table of Contents
