Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE Manual page 114

curity databases and save the base-64 encoded output to a file called caSigningCert.b64.
a. Open the old Certificate System alias/ directory.
cd old_server_root/alias
b. Set the LD_LIBRARY_PATH environment variable to search the Certificate System libraries.
LD_LIBRARY_PATH=old_server_root/bin/cert/lib
export LD_LIBRARY_PATH
c. Use the old Certificate System certutil tool to identify the old HSM slot name.
old_server_root/bin/cert/tools/certutil -U -d .
d. Use the old Certificate System certutil tool to extract the public key from the security databases and save
the base-64 output to a file.
old_server_root/bin/cert/tools/certutil -L
-n "old_HSM_slot_name:caSigningCert cert-old_OCSP_instance"
-d . -h old_HSM_token_name -a > caSigningCert.b64
e. Copy the key information from the old server to the new server.
cp old_server_root/alias/caSigningCert.b64
/var/lib/instance_ID/alias/caSigningCert.b64
4. Log into the new server as the Certificate System user, and open the Certificate System alias/ directory.
cd /var/lib/instance_ID/alias/
5. Log in as root, and set the file user and group to the Certificate System user and group.
su
chown user:group ServerCert.p12
chown user:group ocspSigningCert.p12
chown user:group caSigningCert.b64
6. Log out as root. As the Certificate System user, set the file permissions.
chmod 00600 ServerCert.p12
chmod 00600 ocspSigningCert.p12
chmod 00600 caSigningCert.b64
7. Import the public/private key pairs of each entry from the PKCS #12 files into the new security databases.
pk12util -i ServerCert.p12 -d .
Enter Password or Pin for "NSS Certificate DB":********
Enter password for PKCS12 file: ********
pk12util: PKCS12 IMPORT SUCCESSFUL
5.3. 6.1 and 6.2 Online Certificate
Status Protocol Manager (OCSP)
Databases