Remove the 7.3 CA security databases which will receive migrated data.

rm /var/lib/rhpki-ca/alias/cert8.db

rm /var/lib/rhpki-ca/alias/key3.db

Copy the certificate and key security databases from the old server to the new server.

cp /usr/netscape/servers/alias/cert-ca-alpha-cert8.db
 /var/lib/rhpki-ca/alias/cert8.db

cp /usr/netscape/servers/alias/cert-ca-alpha-key3.db
 /var/lib/rhpki-ca/alias/key3.db

Log into the new server hosting server.example.com as the Certificate System user, and open the Certificate System alias/ directory.

cd /var/lib/rhpki-ca/alias

Log in as root, and set the file user and group to the new server Certificate System user and group.

su

chown pkiuser:pkiuser cert8.db

chown pkiuser:pkiuser key3.db

Log out as root. As the Certificate System user, change the permissions on the files.

chmod 00600 cert8.db

chmod 00600 key3.db

List the certificates stored in the old security databases by using the certutil command. In this example, -L lists the certificates.

certutil -L -d .

Server-Cert cert-ca cu,cu,cu
caSigningCert cert-ca cu,cu,cu
ocspSigningCert cert-ca CTu,Cu,Cu

Export the public/private key pairs of each entry in the Certificate System databases using the pk12util tool; -o exports the key pairs to a PKCS #12 file, and -n gives the name of the certificate and the old database prefix.

pk12util -o ServerCert.p12 -n "Server-Cert cert-ca" -d .

Enter Password or Pin for "NSS Certificate DB":********
Enter password for PKCS12 file: ********
Re-enter password: ********
pk12util: PKCS12 EXPORT SUCCESSFUL

pk12util -o caSigningCert.p12 -n "caSigningCert cert-ca" -d .

Enter Password or Pin for "NSS Certificate DB":********
Enter password for PKCS12 file: ********
Re-enter password: ********
pk12util: PKCS12 EXPORT SUCCESSFUL

pk12util -o ocspSigningCert.p12 -n "ocspSigningCert cert-ca" -d .

Enter Password or Pin for "NSS Certificate DB":********
Enter password for PKCS12 file: ********
Re-enter password: ********
pk12util: PKCS12 EXPORT SUCCESSFUL

Delete the old security databases.

rm cert8.db

rm key3.db

Register the new HSM in the new token database.

modutil -nocertdb -dbdir . -add "epsilon" -libfile /usr/lib/libepsilon.so

Identify the new HSM slot name.

modutil -dbdir . -nocertdb -list

This reveals slots called rho, tau, and phi. The slot called rho is used for the CA.

Create new security databases.

certutil -N -d . 

Import the public/private key pairs of each entry from the PKCS #12 files into the new HSM.

pk12util -i ServerCert.p12 -d . -h rho

Enter Password or Pin for "rho":********
Enter password for PKCS12 file: ********
pk12util: PKCS12 IMPORT SUCCESSFUL

pk12util -i caSigningCert.p12 -d . -h rho

Enter Password or Pin for "rho":********
Enter password for PKCS12 file: ********
pk12util: PKCS12 IMPORT SUCCESSFUL

pk12util -i ocspSigningCert.p12 -d . -h rho

Enter Password or Pin for "rho":********
Enter password for PKCS12 file: ********
pk12util: PKCS12 IMPORT SUCCESSFUL

Optionally, delete the PKCS #12 files.

rm ServerCert.p12

rm caSigningCert.p12

rm ocspSigningCert.p12

Set the trust bits on the public/private key pairs that were imported into the new HSM.

certutil -M -n "rho:Server-Cert cert-ca" -t "cu,cu,cu" -d . -h epsilon

certutil -M -n "rho:caSigningCert cert-ca" -t "CTu,CTu,CTu" -d . -h epsilon

certutil -M -n "rho:ocspSigningCert cert-ca" -t "CTu,Cu,Cu" -d . -h epsilon

Open the CS.cfg configuration file.

cd /var/lib/rhpki-ca/conf/

vi CS.cfg

Edit the ca.signing.cacertnickname and ca.ocsp_signing.cacertnickname attributes to reflect the new CA information.

ca.signing.cacertnickname=rho:caSigningCert cert-ca

ca.ocsp_signing.cacertnickname=rho:ocspSigningCert cert-ca

Since there is CA-DRM connectivity, also modify the ca.connector.KRA.nickname attribute.

ca.connector.KRA.nickname=rho:caSigningCert cert-ca

In the same directory, edit the serverCertNick.conf file to contain the old certificate nickname. For example:

vi serverCertNick.conf

rho:Server-Cert cert-ca