1. Manuals
  2. Brands
  3. Red Hat Manuals
  4. Software
  5. SYSTEM 8.0 - MIGRATION GUIDE 7.X TO 8.0
  6. Manual

Option 3: Hsm To Security Databases Migration - Red Hat SYSTEM 8.0 - MIGRATION GUIDE 7.X TO 8.0 Manual

Migration guide 7.x to 8.0
Hide thumbs
Table of Contents

Advertisement

certutil -M -n "new_HSM_slot_name:Server-Cert cert-old_TPS_instance" -t "cu,cu,cu" -d . -h
<new_HSM_token_name
18. Import the public keys from the base-64 files into the new HSM, and set the trust bits.
certutil -A -n "new_HSM_slot_name:caSigningCert cert-old_TPS_instance" t "CT,c," -d . -
h new_HSM_token_name -i caSigningCert.b64
19. Optionally, delete the base-64 files.
rm caSigningCert.b64

8.2.3. Option 3: HSM to Security Databases Migration

1. Extract the public/private key pairs from the HSM. The format for the extracted key pairs should be
portable, such as a PKCS #12 file.
WARNING
Changing either the instance name or the fully-qualified domain name is not
supported for migration. The fully-qualified domain name of the host machine for the
new instance must be the same as the fully-qualified domain name of the original
instance. Likewise, the new instance name must also be the same as the original
instance name.
The instance and domain information has to be the same for both instances because
the certificate and key material — among other instance and database information —
has to be the same.
The pk12util tool provided by Certificate System cannot extract public/private key pairs from an
HSM because of requirements in the FIPS 140-1 standard which protect the private key. To extract
this information, contact the HSM vendor. The extracted keys should not have any dependencies,
such as nickname prefixes, on the HSM.
2. Log into the 7.x server as the Certificate System user for that machine.
3. Copy the extracted public/private key pairs from the 7.x server to the 8.0 server.
cp old_server_root/alias/ServerCert.p12 /var/lib/new_TPS_instance/alias/ServerCert.p12
4. Extract the public key of "old_HSM_slot_name:caSigningCert cert-old_TPS_instance"
from the 7.x security databases and save the base-64 encoded output to a file called
caSigningCert.b64.
a. Open the Certificate System 7.x alias/ directory. cd old_server_root/alias
b. Set the LD_LIBRARY_PATH environment variable to search the Certificate System libraries.
LD_LIBRARY_PATH=old_server_root/bin/cert/lib
export LD_LIBRARY_PATH
Option 3: HSM to Security Databases Migration
109

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the SYSTEM 8.0 - MIGRATION GUIDE 7.X TO 8.0 and is the answer not in the manual?

Questions and answers

Related Manuals for Red Hat SYSTEM 8.0 - MIGRATION GUIDE 7.X TO 8.0

Related Products for Red Hat SYSTEM 8.0 - MIGRATION GUIDE 7.X TO 8.0

This manual is also suitable for:

Certificate system 8.0 - administration

Table of Contents