Red Hat SYSTEM 8.0 - MIGRATION GUIDE 7.X TO 8.0 Manual page 81

The instance and domain information has to be the same for both instances because
the certificate and key material — among other instance and database information —
has to be the same.
The pk12util tool provided by Certificate System cannot extract public/private key pairs from an
HSM because of requirements in the FIPS 140-1 standard which protect the private key. To extract
this information, contact the HSM vendor. The extracted keys should not have any dependencies,
such as nickname prefixes, on the HSM.
2. Copy the extracted key pairs from the 7.x server to the 8.0 server.
cp old_server_root/alias/ServerCert.p12 /var/lib/new_OCSP_instance/alias/ServerCert.p12
cp old_server_root/alias/ocspSigningCert.p12 /var/lib/new_OCSP_instance/alias/
ocspSigningCert.p12
3. Extract the public key of the CA signing certificate from the 7.x security databases and save the
base-64 encoded output to a file called caSigningCert.b64.
a. Open the Certificate Management System 7.x /alias directory.
cd old_server_root/alias
b. Set the LD_LIBRARY_PATH environment variable to search the Certificate System libraries.
LD_LIBRARY_PATH=old_server_root/bin/cert/lib
export LD_LIBRARY_PATH
c. Use the Certificate Management System 7.x certutil tool to identify the old HSM slot name.
old_server_root/bin/cert/tools/certutil -U -d .
d. Use the Certificate Management System 7.x certutil tool to extract the public key from the
security databases and save the base-64 output to a file.
old_server_root/bin/cert/tools/certutil -L -n "old_HSM_slot_name:caSigningCert
cert-old_OCSP_instance" -d . -h old_HSM_token_name -a > caSigningCert.b64
e. Copy the key information from the 7.x server to the 8.0 server.
cp old_server_root/alias/caSigningCert.b64 /var/lib/new_OCSP_instance/alias/
caSigningCert.b64
4. Open the Certificate System /alias directory.
cd /var/lib/new_OCSP_instance/alias/
5. Log in as root.
Option 4: HSM to HSM Migration
71