Red Hat SYSTEM 8.0 - MIGRATION GUIDE 7.X TO 8.0 Manual page 120

Chapter 8. Migrating a TPS Instance to 8.0
c. Use the Certificate System 7.x certutil tool to identify the old HSM slot name.
old_server_root/bin/cert/tools/certutil -U -d .
d. Use the Certificate System 7.x certutil tool to extract the public key of the following entries
from the security databases and save each base-64 output to a separate file.
old_server_root/bin/cert/tools/certutil -L -n "old_HSM_slot_name:caSigningCert
cert-old_TPS_instance" -d . -h old_HSM_token_name -a > caSigningCert.b64
e. Copy the key data from the 7.x server to the 8.0 server.
cp old_server_root/alias/caSigningCert.b64 /var/lib/new_TPS_instance/alias/
caSigningCert.b64
5. Log into the new server as the Certificate System user, and open the Certificate System alias/
directory.
cd /var/lib/new_TPS_instance/alias/
6. Log in as root.
7. Set the file user and group to the Certificate System user and group. By default, the user and
group are pkiuser. For example:
# chown pkiuser:pkiuser ServerCert.p12
# chown pkiuser:pkiuser caSigningCert.b64
8. Log out as root. As the Certificate System user, change the permissions on the files.
chmod 00600 ServerCert.p12
chmod 00600 caSigningCert.b64
9. Import the public/private key pair from the PKCS #12 file into the new security databases.
pk12util -i ServerCert.p12 -d .
Enter Password or Pin for "NSS Certificate DB":********
Enter password for PKCS12 file: ********
pk12util: PKCS12 IMPORT SUCCESSFUL
10. Optionally, delete the PKCS #12 file:
rm ServerCert.p12
11. Set the trust bits on the public/private key pairs that were imported into the new security
databases.
certutil -M -n "Server-Cert cert-old_TPS_instance" -t "cu,cu,cu" -d .
110