Red Hat CERTIFICATE SYSTEM 7.0 - MIGRATION GUIDE Manual page 63

rm ServerCert.p12
13. S et the trust bits on the public/private key pairs that were imported into the new security
databases.
certutil -M -n "Server-Cert cert-old_TKS_instance" -t "cu,cu,cu" -d .
14. I mport the public keys from the base-64 files, and set the trust bits.
certutil -A -n "caSigningCert cert-old_TKS_instance"
-t "CT,c," -d . -i caSigningCert.b64
certutil -A -n "tksTransportCert cert-old_TKS_instance"
-t "CT,C,C" -d . -i tksTransportCert.b64
15. O ptionally, delete the base-64 files.
rm caSigningCert.b64
rm tksTransportCert.b64
16. I mport the original symmetric transport key into the new security databases.
tksTool -I -d . -n tks_transport_key_name
17. T ype in the original three key session keyshares (as prompted) to recreate the original
transport key in the new security databases.
18. L og in as .
root
19. S et the file user and group to the Certificate System user and group for each
wrapped_tks_master_key_file
20. U nwrap and store all the original master keys into the new security databases.
tksTool -U -d . -t tks_transport_key_name
-n tks_master_key_version_name -i wrapped_tks_master_key_file
Perform this step for each and every file containing a wrapped TKS master key.
21. O pen the configuration file in the
CS.cfg
22. I f server-side keygen has been enabled, edit the
reflect new TKS information.
Option 3: HSM to Security Databases
file.
instance_ID
/var/lib/
tks.drm_transport_cert_nickname
.
/conf/
to
57