Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE Manual page 36

13. Import the public/private key pairs from the PKCS #12 files into the new HSM.
pk12util -i ServerCert.p12 -d . -h new_HSM_slot_name
Enter Password or Pin for "new_HSM_slot_name":********
Enter password for PKCS12 file: ********
pk12util: PKCS12 IMPORT SUCCESSFUL
pk12util -i kraStorageCert.p12 -d . -h new_HSM_slot_name
Enter Password or Pin for "new_HSM_slot_name":********
Enter password for PKCS12 file: ********
pk12util: PKCS12 IMPORT SUCCESSFUL
pk12util -i kraTransportCert.p12 -d . -h new_HSM_slot_name
Enter Password or Pin for "new_HSM_slot_name":********
Enter password for PKCS12 file: ********
pk12util: PKCS12 IMPORT SUCCESSFUL
14. Optionally, delete the PKCS #12 files.
rm ServerCert.p12
rm kraStorageCert.p12
rm kraTransportCert.p12
15. Set the trust bits on the public/private key pairs that were imported into the new HSM.
certutil -M -n "new_HSM_slot_name:Server-Cert cert-old_DRM_instance"
-t "cu,cu,cu" -d . -h new_HSM_token_name
certutil -M -n "new_HSM_slot_name:kraStorageCert cert-old_DRM_instance"
-t "u,u,u" -d . -h new_HSM_token_name
certutil -M -n "new_HSM_slot_name:kraTransportCert cert-old_DRM_instance"
-t "u,u,u" -d . -h new_HSM_token_name"
16. Import the public key from the base-64 file into the new HSM, and set the trust bits.
certutil -A -n "new_HSM_slot_name:caSigningCert cert-old_DRM_instance"
-t "CT,c," -d . -h new_HSM_token_name -i caSigningCert.b64"
17. Optionally, delete the base-64 file.
rm caSigningCert.b64
18. Open the CS.cfg configuration file.
cd /var/lib/instance_ID/conf/
vi CS.cfg
19. Modify the kra.storageUnit.nickname and kra.transportUnit.nickname attributes to reflect the
new DRM instance.
kra.storageUnit.nickname=
new_HSM_slot_name:kraStorageCert cert-old_DRM_instance
kra.transportUnit.nickname=
new_HSM_slot_name:kraTransportCert cert-old_DRM_instance
2.2. 4.2 Data Recovery Manager
(DRM) Migration
30 Chapter 7. Step 4: Migrating Security