Log into the old server hosting alpha.example.com as the Certificate System user.

Use the PasswordCache tool on the old Certificate System to extract the password information from the CA database.

cd /usr/netscape/servers/cert-ca/config/

/usr/netscape/servers/bin/cert/tools/PasswordCache password 
-d /usr/netscape/servers/alias -P cert-ca-alpha-

list
cert/key prefix = cert-ca-alpha-
path = /usr/netscape/servers/alias
about to read password cache
----- Password Cache Content -----
internal : diamond
Internal LDAP Database : diamond

The passwords are displayed in clear text; write down this information.

This example server also uses the password.conf file to start the old CA instance automatically on alpha.example.com. Copy the password.conf file to server.example.com, overwriting the default password.conf file.

cp /usr/netscape/servers/cert-ca/config/password.conf 
/var/lib/rhpki-ca/conf/password.conf

Log into the new server hosting server.example.com as the Certificate System user, and open the CA subsystem conf/ directory.

cd /var/lib/rhpki-ca/conf/

Log in as root, and set the file user and group to the new server Certificate System user and group.

su

chown pkiuser:pkiuser password.conf

Log out as root. As the Certificate System user, change the permissions on the file.

chmod 00600 password.conf

Copy the passwords extracted from the old server pwdcache.db into the password.conf file.