Red Hat SYSTEM 8.0 - MIGRATION GUIDE 7.X TO 8.0 Manual page 57

11. Delete the 7.x security databases.
rm cert8.db
rm key3.db
12. Register the new HSM in the 8.0 token database.
modutil -nocertdb -dbdir . -add new_HSM_token_name -libfile new_HSM_library_path/
new_HSM_library
13. Identify the new HSM slot name.
modutil -dbdir . -nocertdb -list
14. Create new security databases.
certutil -N -d .
15. Import the public/private key pairs of each entry from the PKCS #12 files into the new HSM.
pk12util -i ServerCert.p12 -d . -h
Enter Password or Pin for "new_HSM_slot_name":********
Enter password for PKCS12 file: ********
pk12util: PKCS12 IMPORT SUCCESSFUL
pk12util -i kraStorageCert.p12 -d . -h
Enter Password or Pin for "new_HSM_slot_name":********
Enter password for PKCS12 file: ********
pk12util: PKCS12 IMPORT SUCCESSFUL
pk12util -i kraTransportCert.p12 -d . -h
Enter Password or Pin for "new_HSM_slot_name":********
Enter password for PKCS12 file: ********
pk12util: PKCS12 IMPORT SUCCESSFUL
16. Optionally, delete the PKCS #12 files.
rm ServerCert.p12
rm kraStorageCert.p12
rm kraTransportCert.p12
17. Set the trust bits on the public/private key pairs that were imported into the new HSM.
certutil -M -n "new_HSM_slot_name:Server-Cert cert-old_DRM_instance" -t "cu,cu,cu" -d . -
h new_HSM_token_name
certutil -M -n "new_HSM_slot_name:kraStorageCert cert-old_DRM_instance" -t "u,u,u" -d . -
h new_HSM_token_name
certutil -M -n "new_HSM_slot_name:kraTransportCert cert-old_DRM_instance" -t "u,u,u" -d .
-h new_HSM_token_name
Option 2: Security Databases to HSM Migration
new_HSM_slot_name
new_HSM_slot_name
new_HSM_slot_name
47