Case Iv: Hsm To Hsm Migration - Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE Manual

pk12util -i ocspSigningCert.p12 -d .
Enter Password or Pin for "NSS Certificate DB":********
Enter password for PKCS12 file: ********
pk12util: PKCS12 IMPORT SUCCESSFUL
8. Optionally, delete the PKCS #12 files.
rm ServerCert.p12
rm ocspSigningCert.p12
9. Set the trust bits on the public/private key pairs that were imported into the new security databases.
certutil -M -n "Server-Cert cert-old_OCSP_instance"
-t "cu,cu,cu" -d .
certutil -M -n "ocspSigningCert cert-old_OCSP_instance"
-t "cu,cu,cu" -d .
10. Import the public key from the base-64 file, and set the trust bits.
certutil -A -n "caSigningCert cert-old_OCSP_instance"
-t "CT,c," -d . -i caSigningCert.b64
11. Optionally, delete the base-64 file.
rm caSigningCert.b64
12. Open the CS.cfg configuration file.
cd /var/lib/instance_ID/conf/
vi CS.cfg
13. Edit the ocsp.signing.certnickname attribute to reflect the new OCSP instance.
ocsp.signing.certnickname=ocspSigningCert cert-old_OCSP_instance
NOTE
The caSigningCert is not referenced in the CS.cfg file.
14. In the same directory, edit the serverCertNick.conf file to contain the old certificate nickname. For example:
vi serverCertNick.conf
Server-Cert cert-old_OCSP_instance

5.3.4. Case IV: HSM to HSM Migration

1. Extract the public/private key pairs from the HSM. The format for the extracted key pairs should be portable, such as
a PKCS #12 file.
The pk12util tool provided by the Certificate System cannot extract public/private key pairs from an HSM be-
cause of requirements in the FIPS 140-1 standard which protect the private key portion of an entry. To extract this in-
formation, contact the HSM vendor for more information. The extracted keys should not have any dependencies, such
Migration
109 Chapter 7. Step 4: Migrating Security