Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE Manual page 143

old_server_root/bin/cert/tools/certutil -L
-n "old_HSM_slot_name:caSigningCert cert-old_OCSP_instance"
-d . -h old_HSM_token_name -a > caSigningCert.b64
e. Copy the key information from the old server to the new server.
cp old_server_root/alias/caSigningCert.b64
/var/lib/instance_ID/alias/caSigningCert.b64
4. Log into the new server as the Certificate System user, and open the Certificate System alias/ directory.
cd /var/lib/instance_ID/alias/
5. Log in as root, and set the file user and group to the Certificate System user and group.
su
chown user:group ServerCert.p12
chown user:group ocspSigningCert.p12
chown user:group caSigningCert.b64
6. Log out as root. As the Certificate System user, change the permissions on the files.
chmod 00600 ServerCert.p12
chmod 00600 ocspSigningCert.p12
chmod 00600 caSigningCert.b64
7. Register the new HSM in the new token database.
modutil -nocertdb -dbdir . -add new_HSM_token_name -libfile
new_HSM_library_path/new_HSM_library
8. Identify the new HSM slot name.
modutil -dbdir . -nocertdb -list
9. Import the public/private key pairs of each entry from the PKCS #12 files into the new HSM.
pk12util -i ServerCert.p12 -d . -h new_HSM_slot_name
Enter Password or Pin for "new_HSM_slot_name":********
Enter password for PKCS12 file: ********
pk12util: PKCS12 IMPORT SUCCESSFUL
pk12util -i ocspSigningCert.p12 -d . -h new_HSM_slot_name
Enter Password or Pin for "new_HSM_slot_name":********
Enter password for PKCS12 file: ********
pk12util: PKCS12 IMPORT SUCCESSFUL
10. Optionally, delete the PKCS #12 files.
rm ServerCert.p12
137 Chapter 7. Step 4: Migrating Security