Red Hat CERTIFICATE SYSTEM 7.0 - MIGRATION GUIDE Manual page 67

11. R egister the new HSM in the new token database.
modutil -nocertdb -dbdir . -add new_HSM_token_name -libfile
new_HSM_library_path/new_HSM_library
12. I dentify the new HSM slot name.
modutil -dbdir . -nocertdb -list
13. I mport the public/private key pair from the PKCS #12 file into the new HSM.
pk12util -i ServerCert.p12 -d . -h new_HSM_slot_name
Enter Password or Pin for "new_HSM_slot_name":********
Enter password for PKCS12 file: ********
pk12util: PKCS12 IMPORT SUCCESSFUL
14. O ptionally, delete the PKCS #12 file.
rm ServerCert.p12
15. S et the trust bits on the public/private key pair that was imported into the new HSM.
certutil -M -n "new_HSM_slot_name:Server-Cert cert-old_TKS_instance"
-t "cu,cu,cu" -d . -h new_HSM_token_name
16. I mport the public keys from the base-64 files, and set the trust bits.
certutil -A -n "new_HSM_slot_name:caSigningCert cert-old_TKS_instance"
-t "CT,c," -d . -h new_HSM_token_name -i caSigningCert.b64
certutil -A -n new_HSM_slot_name:tksTransportCert cert-old_TKS_instance"
-t "CT,C,C" -d . -h new_HSM_token_name -i tksTransportCert.b64
17. O ptionally, delete the base-64 files.
rm caSigningCert.b64
rm tksTransportCert.b64
18. I mport the original symmetric transport key into the new HSM.
tksTool -I -d . -h new_HSM_token_name -n tks_transport_key_name
Option 4: HSM to HSM Migration
61