Case Iv: Hsm To Hsm Migration - Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE Manual
Hide thumbs
Also See for CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE:
- Administration manual (512 pages) ,
- Manual (108 pages) ,
- Reference manual (337 pages)
Table of Contents
Advertisement
certutil -M -n "Server-Cert cert-old_CA_instance"
-t "cu,cu,cu" -d .
certutil -M -n "caSigningCert cert-old_CA_instance"
-t "CTu,CTu,CTu" -d .
certutil -M -n "ocspSigningCert cert-old_CA_instance"
-t "CTu,Cu,Cu" -d .
certutil -M -n "subsystemCert cert-old_CA_instance"
-t "cu,cu,cu" -d .
9.
Open the CS.cfg configuration file.
cd /var/lib/instance_ID/conf/
vi CS.cfg
10. Edit the ca.signing.cacertnickname and ca.ocsp_signing.cacertnickname attributes to reflect
the new subsystem information.
ca.signing.cacertnickname=
caSigningCert cert-old_CA_instance
ca.ocsp_signing.cacertnickname=
ocspSigningCert cert-old_CA_instance
11. If there is CA-DRM connectivity, then also modify the ca.connector.KRA.nickname attribute.
ca.connector.KRA.nickname=caSigningCert cert-old_CA_instance
12. In the same directory, edit the serverCertNick.conf file to contain the old certificate nickname. For example:
vi serverCertNick.conf
Server-Cert cert-old_CA_instance
6.1.4. Case IV: HSM to HSM Migration
1.
Extract the public/private key pairs from the HSM. The format for the extracted key pairs should be portable, such as
a PKCS #12 file.
The pk12util tool provided by the Certificate System cannot extract public/private key pairs from an HSM be-
cause of requirements in the FIPS 140-1 standard which protect the private key portion of an entry. To extract this in-
formation, contact the HSM vendor for more information. The extracted keys should not have any dependencies, such
as nickname prefixes, on the HSM.
2.
Copy the extracted public/private key pairs from the old server to the new server.
cp old_server_root/alias/ServerCert.p12
/var/lib/instance_ID/alias/ServerCert.p12
cp old_server_root/alias/caSigningCert.p12
/var/lib/instance_ID/alias/caSigningCert.p12
cp old_server_root/alias/ocspSigningCert.p12
/var/lib/instance_ID/alias/ocspSigningCert.p12
cp old_server_root/alias/subsystemCert.p12
/var/lib/instance_ID/alias/subsystemCert.p12
6.1. 7.0 and 7.1 Certificate Author-
ity (CA) Migration
118
Chapter 7. Step 4: Migrating Security
Advertisement
Chapters
Table of Contents
Subscribe to Our Youtube Channel
Related Manuals for Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE
Related Products for Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE
- Red Hat CERTIFICATE 7.2 RELEASE NOTES
- Red Hat CERTIFICATE SYSTEM 7.1 - ADMINSISTRATOR
- Red Hat CERTIFICATE 7.3 RELEASE NOTES
- Red Hat CERTIFICATE SYSTEM 8 - DEPLOYMENT
- Red Hat CERTIFICATE SYSTEM 8 - AGENTS GUIDE
- Red Hat CERTIFICATE 8.0 RELEASE NOTES
- Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION
- Red Hat CERTIFICATE SYSTEM ENTERPRISE - SECURITY GUIDE
- Red Hat CLUSTER SUITE - CONFIGURING AND MANAGING A CLUSTER 2006
- Red Hat CLUSTER MANAGER - INSTALLATION AND
- Red Hat Cluster Suite
- Red Hat Application Server
- Red Hat APPLICATION SERVER - JONAS
- Red Hat APPLICATION STACK 1.1 RELEASE
- Red Hat APPLICATION STACK 1.2 RELEASE
- Red Hat APPLICATION STACK 1.3 RELEASE
Need help?
Do you have a question about the CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE and is the answer not in the manual?
Questions and answers