Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE Manual page 62

Enter Password or Pin for "NSS Certificate DB":********
Enter password for PKCS12 file: ********
Re-enter password: ********
pk12util: PKCS12 EXPORT SUCCESSFUL
pk12util -o ocspSigningCert.p12 -n "ocspSigningCert cert-old_OCSP_instance" -d .
Enter Password or Pin for "NSS Certificate DB":********
Enter password for PKCS12 file: ********
Re-enter password: ********
pk12util: PKCS12 EXPORT SUCCESSFUL
NOTE
The old security databases may contain additional public/private key pairs; these can also be extracted using
pk12util.
8. Export the public key using the certutil tool; -L lists the named certificate, -n sets the name of the file and the
old prefix, and -a saves the output to a base-64 file.
certutil -L -n "caSigningCert cert-old_OCSP_instance" -d . -a > caSigningCert.b64
NOTE
The old security databases may contain additional public keys; these can also be exported using the certutil
tool.
9. Delete the old security databases.
rm cert7.db
rm cert8.db
rm key3.db
10. Register the new HSM in the new token database.
modutil -nocertdb -dbdir . -add new_HSM_token_name -libfile
new_HSM_library_path/new_HSM_library
11. Identify the new HSM slot name.
modutil -dbdir . -nocertdb -list
12. Create new security databases.
certutil -N -d .
13. Import the public/private key pairs of each entry from the PKCS #12 files into the new HSM.
pk12util -i ServerCert.p12 -d . -h new_HSM_slot_name
Enter Password or Pin for "new_HSM_slot_name":********
Enter password for PKCS12 file: ********
pk12util: PKCS12 IMPORT SUCCESSFUL
pk12util -i ocspSigningCert.p12 -d . -h new_HSM_slot_name
Enter Password or Pin for "new_HSM_slot_name":********
Enter password for PKCS12 file: ********
Databases