Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE Manual page 213

exports the key pairs to a PKCS #12 file, and -n gives the name of the certificate and the old database prefix.
pk12util -o ServerCert.p12 -n "Server-Cert cert-ca" -d .
Enter Password or Pin for "NSS Certificate DB":********
Enter password for PKCS12 file: ********
Re-enter password: ********
pk12util: PKCS12 EXPORT SUCCESSFUL
pk12util -o caSigningCert.p12 -n "caSigningCert cert-ca" -d .
Enter Password or Pin for "NSS Certificate DB":********
Enter password for PKCS12 file: ********
Re-enter password: ********
pk12util: PKCS12 EXPORT SUCCESSFUL
pk12util -o ocspSigningCert.p12 -n "ocspSigningCert cert-ca" -d .
Enter Password or Pin for "NSS Certificate DB":********
Enter password for PKCS12 file: ********
Re-enter password: ********
pk12util: PKCS12 EXPORT SUCCESSFUL
NOTE
For this example, the old security databases did not contain any additional public/private key pairs.
8. Delete the old security databases.
rm cert8.db
rm key3.db
9. Register the new HSM in the new token database.
modutil -nocertdb -dbdir . -add "epsilon" -libfile /usr/lib/libepsilon.so
10. Identify the new HSM slot name.
modutil -dbdir . -nocertdb -list
This reveals slots called rho, tau, and phi. The slot called rho is used for the CA.
11. Create new security databases.
certutil -N -d .
12. Import the public/private key pairs of each entry from the PKCS #12 files into the new HSM.
pk12util -i ServerCert.p12 -d . -h rho
Enter Password or Pin for "rho":********
Enter password for PKCS12 file: ********
pk12util: PKCS12 IMPORT SUCCESSFUL
pk12util -i caSigningCert.p12 -d . -h rho
Enter Password or Pin for "rho":********
Enter password for PKCS12 file: ********
pk12util: PKCS12 IMPORT SUCCESSFUL
pk12util -i ocspSigningCert.p12 -d . -h rho
1.4. Step 4: Migrating Security
Databases
Certificate System Migration