Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE Manual page 97

5. Log out as root. As the Certificate System user, set the file permissions.
chmod 00600 ServerCert.p12
chmod 00600 caSigningCert.p12
chmod 00600 ocspSigningCert.p12
6. Import the public/private key pairs of each entry from the PKCS #12 files into the new security databases.
pk12util -i ServerCert.p12 -d .
Enter Password or Pin for "NSS Certificate DB":********
Enter password for PKCS12 file: ********
pk12util: PKCS12 IMPORT SUCCESSFUL
pk12util -i caSigningCert.p12 -d .
Enter Password or Pin for "NSS Certificate DB":********
Enter password for PKCS12 file: ********
pk12util: PKCS12 IMPORT SUCCESSFUL
pk12util -i ocspSigningCert.p12 -d .
Enter Password or Pin for "NSS Certificate DB":********
Enter password for PKCS12 file: ********
pk12util: PKCS12 IMPORT SUCCESSFUL
7. Optionally, delete the PKCS #12 files.
rm ServerCert.p12
rm caSigningCert.p12
rm ocspSigningCert.p12
8. Set the trust bits on the public/private key pairs that were imported into the new security databases.
certutil -M -n "Server-Cert cert-old_CA_instance"
-t "cu,cu,cu" -d .
certutil -M -n "caSigningCert cert-old_CA_instance"
-t "CTu,CTu,CTu" -d .
certutil -M -n "ocspSigningCert cert-old_CA_instance"
-t "CTu,Cu,Cu" -d .
9. Open the CS.cfg configuration file.
cd /var/lib/instance_ID/conf/
vi CS.cfg
10. Edit the ca.signing.cacertnickname and ca.ocsp_signing.cacertnickname attributes to reflect
the new CA instance.
ca.signing.cacertnickname=
caSigningCert cert-old_CA_instance
ca.ocsp_signing.cacertnickname=
ocspSigningCert cert-old_CA_instance
5.1. 6.1 and 6.2 Certificate Author-
ity (CA) Migration
Databases