Option 4: Hsm To Hsm Migration - Red Hat CERTIFICATE SYSTEM 7.0 - MIGRATION GUIDE Manual

Chapter 5. Step 4: Migrating Security Databases
tks.drm_transport_cert_nickname=tksTransportCert cert-old_TKS_instance
23. I f a master key has been migrated from the 7.x TKS instance, insert the
"tks.mk_mappings.#
tks_master_key_version_name" line at the end of the
values for tks_master_key_version_number, and tks_master_key_version_name.
NOTE
The
caSigningCert
24. I n the same directory, edit the
nickname. For example:
Server-Cert cert-old_TKS_instance

4.4. Option 4: HSM to HSM Migration

1. Extract the public/private key pairs from the HSM. The format for the extracted key pairs
should be portable, such as a PKCS #12 file.
The tool provided by Certificate System cannot extract public/private key pairs
pk12util
from an HSM because of requirements in the FIPS 140-1 standard which protect the private
key. To extract this information, contact the HSM vendor. The extracted keys should not have
any dependencies, such as nickname prefixes, on the HSM.
2. Log into the 7.x server as the Certificate System user for that machine.
3. Migrate the master key from the 7.x TKS instance. (Depending on your installation, there may
not be any master key information stored in the 7.x TKS instance.)
a. Open the Certificate System 7.x configuration file.
• If the migration is from Certificate Management System 7.0, open the
directory.
config
• If the migration is from Certificate System 7.1, open the
System
config
• If the migration is from Certificate System 7.2, open the
System
/var/lib/
b. Write down or note the exact name-value pair for the
58
tks_master_key_version_number
is not referenced in the
serverCertNick.conf
directory.
instance_ID directory.
/conf
#01=internal:
. Be certain to use the proper
CS.cfg
file.
CS.cfg
file to contain the old certificate
CMS.cfg
file in the Certificate
CS.cfg
file in the Certificate
CS.cfg
tks.mk_mappings.#
in the