5.
Log out as root. As the Certificate System user, set the file permissions.
chmod 00600 ServerCert.p12
chmod 00600 caSigningCert.p12
chmod 00600 ocspSigningCert.p12
6.
Import the public/private key pairs of each entry from the PKCS #12 files into the new security databases.
pk12util -i ServerCert.p12 -d .
Enter Password or Pin for "NSS Certificate DB":********
Enter password for PKCS12 file: ********
pk12util: PKCS12 IMPORT SUCCESSFUL
pk12util -i caSigningCert.p12 -d .
Enter Password or Pin for "NSS Certificate DB":********
Enter password for PKCS12 file: ********
pk12util: PKCS12 IMPORT SUCCESSFUL
pk12util -i ocspSigningCert.p12 -d .
Enter Password or Pin for "NSS Certificate DB":********
Enter password for PKCS12 file: ********
pk12util: PKCS12 IMPORT SUCCESSFUL
7.
Optionally, delete the PKCS #12 files.
rm ServerCert.p12
rm caSigningCert.p12
rm ocspSigningCert.p12
8.
Set the trust bits on the public/private key pairs that were imported into the new security databases.
certutil -M -n "Server-Cert cert-old_CA_instance"
-t "cu,cu,cu" -d .
certutil -M -n "caSigningCert cert-old_CA_instance"
-t "CTu,CTu,CTu" -d .
certutil -M -n "ocspSigningCert cert-old_CA_instance"
-t "CTu,Cu,Cu" -d .
9.
Open the CS.cfg configuration file.
cd /var/lib/instance_ID/conf/
vi CS.cfg
10. Edit the ca.signing.cacertnickname and ca.ocsp_signing.cacertnickname attributes to reflect
the new CA instance.
ca.signing.cacertnickname=
caSigningCert cert-old_CA_instance
ca.ocsp_signing.cacertnickname=
ocspSigningCert cert-old_CA_instance
5.1. 6.1 and 6.2 Certificate Author-
ity (CA) Migration
Databases