Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE Manual page 222

databases:
NOTE
For more information on migrating security databases to HSM, see Section 5.2.2, "Case II: Security Databases to
HSM Migration".
Log into server.example.com as the Certificate System user, and do the following:
1. Remove the 7.2 DRM security databases which will receive migrated data.
rm /var/lib/rhpki-kra/alias/cert8.db
rm /var/lib/rhpki-kra/alias/key3.db
2. Copy the certificate and key security databases from the old server to the new server.
cp /usr/netscape/servers/alias/cert-drm-alpha-cert8.db
/var/lib/rhpki-kra/alias/cert8.db
cp /usr/netscape/servers/alias/cert-drm-alpha-key3.db
/var/lib/rhpki-rhpki-kra/alias/key3.db
3. Log into the new server hosting server.example.com as the Certificate System user, and open the Certificate
System alias/ directory.
cd /var/lib/rhpki-kra/alias
4. Log in as root, and set the file user and group to the new server Certificate System user and group.
su
chown pkiuser:pkiuser cert8.db
chown pkiuser:pkiuser key3.db
5. Log out as root. As the Certificate System user, change the permissions on the file.
chmod 00600 cert8.db
chmod 00600 key3.db
6. List the certificates stored in the old security databases by using the certutil command. In this example, -L lists
the certificates.
certutil -L -d .
Server-Cert cert-drm cu,cu,cu
caSigningCert cert-drm cT,c,
kraStorageCert cert-drm u,u,u
kraTransportCert cert-drm u,u,u
7. Export the public/private key pairs of each entry in the Certificate System databases using the pk12util tool; -o
exports the key pairs to a PKCS #12 file, and -n sets the name of the certificate and the old database prefix.
pk12util -o ServerCert.p12 -n "Server-Cert cert-drm" -d .
Enter Password or Pin for "NSS Certificate DB":********
Enter password for PKCS12 file: ********
2.4. Step 4: Migrating Security
Databases
216 Chapter 15. Detailed Example of a