Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE Manual page 91

6. Log out as root. As the Certificate System user, set the file permissions.
chmod 00600 ServerCert.p12
chmod 00600 ocspSigningCert.p12
chmod 00600 caSigningCert.b64
7. Register the new HSM in the new token database.
modutil -nocertdb -dbdir . -add new_HSM_token_name -libfile
new_HSM_library_path/new_HSM_library
8. Identify the new HSM slot name.
modutil -dbdir . -nocertdb -list
9. Import the public/private key pairs of each entry from the PKCS #12 files into the new HSM.
pk12util -i ServerCert.p12 -d . -h new_HSM_slot_name
Enter Password or Pin for "new_HSM_slot_name":********
Enter password for PKCS12 file: ********
pk12util: PKCS12 IMPORT SUCCESSFUL
pk12util -i ocspSigningCert.p12 -d . -h new_HSM_slot_name
Enter Password or Pin for "new_HSM_slot_name":********
Enter password for PKCS12 file: ********
pk12util: PKCS12 IMPORT SUCCESSFUL
10. Optionally, delete the PKCS #12 files.
rm ServerCert.p12
rm ocspSigningCert.p12
11. Set the trust bits on the public/private key pairs that were imported into the new HSM.
certutil -M -n "new_HSM_slot_name:Server-Cert cert-old_OCSP_instance"
-t "cu,cu,cu" -d . -h new_HSM_token_name
certutil -M -n "new_HSM_slot_name:ocspSigningCert cert-old_OCSP_instance"
-t "cu,cu,cu" -d . -h new_HSM_token_name
12. Import the public key from the base-64 file into the new HSM, and set the trust bits.
certutil -A -n "new_HSM_slot_name:caSigningCert cert-old_OCSP_instance"
-t "CT,c," -d . -h new_HSM_token_name -i caSigningCert.b64
13. Optionally, delete the base-64 file.
rm caSigningCert.b64
14. Open the CS.cfg configuration file.
cd /var/lib/instance_ID/conf/
gration
85 Chapter 7. Step 4: Migrating Security