Option 2: Security Databases To Hsm Migration - Red Hat SYSTEM 8.0 - MIGRATION GUIDE 7.X TO 8.0 Manual

10. Edit the ca.signing.cacertnickname and ca.ocsp_signing.cacertnickaname
attributes to reflect the 8.0 CA instance.
ca.signing.cacertnickname=caSigningCert cert-old_CA_instance
ca.ocsp_signing.cacertnickname=ocspSigningCert cert-old_CA_instance
11. If there is CA-DRM connectivity, then also modify the ca.connector.KRA.nickname attribute.
ca.connector.KRA.nickname=caSigningCert cert-old_CA_instance
12. In the same directory, edit the serverCertNick.conf file to contain the old certificate
nickname. For example:
Server-Cert cert-old_CA_instance

3.2.2. Option 2: Security Databases to HSM Migration

1. Remove all the security databases in the Certificate System 8.0 which will receive migrated data.
rm /var/lib/new_CA_instance/alias/cert8.db
rm /var/lib/new_CA_instance/alias/key3.db
2. Copy the certificate and key security databases from the 7.x server to the 8.0 server.
cp old_server_root/alias/cert-old_instance-cert8.db /var/lib/new_CA_instance/alias/
cert8.db
cp old_server_root/alias/cert-old_instance-key3.db /var/lib/new_CA_instance/alias/key3.db
WARNING
Changing either the instance name or the fully-qualified domain name is not
supported for migration. The fully-qualified domain name of the host machine for the
new instance must be the same as the fully-qualified domain name of the original
instance. Likewise, the new instance name must also be the same as the original
instance name.
The instance and domain information has to be the same for both instances because
the certificate and key material — among other instance and database information —
has to be the same.
3. Open the Certificate System /alias directory.
cd /var/lib/new_CA_instance/alias/
4. Log in as root.
5. Set the file user and group to the Certificate System user and group.
# chown user:group cert8.db
Option 2: Security Databases to HSM Migration
19