Remove the 7.3 OCSP security databases which will receive migrated data.

rm /var/lib/rhpki-ocsp/alias/cert8.db

rm /var/lib/rhpki-ocsp/alias/key3.db

Copy the certificate and key security databases from the old server to the new server.

cp /usr/netscape/servers/alias/cert-ocsp-alpha-cert8.db 
/var/lib/rhpki-ocsp/alias/cert8.db

cp /usr/netscape/servers/alias/cert-ocsp-alpha-key3.db 
/var/lib/rhpki-ocsp/alias/key3.db

Log into the new server, server.example.com, as the Certificate System user, and open the Certificate System alias/ directory.

cd /var/lib/rhpki-ocsp/alias

Log in as root, and set the file user and group to the new server Certificate System user and group.

su

chown pkiuser:pkiuser cert8.db

chown pkiuser:pkiuser key3.db

Log out as root. As the Certificate System user, change the permissions on the file.

chmod 00600 cert8.db

chmod 00600 key3.db

List the certificates stored in the old security databases by using the certutil command. In this example, -L lists the certificates.

certutil -L -d .

Server-Cert cert-ocsp cu,cu,cu
caSigningCert cert-ocsp CT,c,
ocspSigningCert cert-ocsp cu,cu,cu

Export the public/private key pairs of each entry in the Certificate System databases using the pk12util tool; -o exports the key pairs to a PKCS #12 file, and -n gives the name of the certificate and the old database prefix.

pk12util -o ServerCert.p12 -n "Server-Cert cert-ocsp" -d .

Enter Password or Pin for "NSS Certificate DB":********
Enter password for PKCS12 file: ********
Re-enter password: ********
pk12util: PKCS12 EXPORT SUCCESSFUL

pk12util -o ocspSigningCert.p12 -n "ocspSigningCert cert-ocsp" -d .

Enter Password or Pin for "NSS Certificate DB":********
Enter password for PKCS12 file: ********
Re-enter password: ********
pk12util: PKCS12 EXPORT SUCCESSFUL

Export the public key using the certutil tool; -L lists the certificate, -n sets the name of the file and the old prefix, and -a outputs the information to a base-64 file.

certutil -L -n "caSigningCert cert-ocsp" -d . -a > caSigningCert.b64

Delete the old security databases.

rm cert8.db

rm key3.db

Register the new HSM in the new token database.

modutil -nocertdb -dbdir . -add "epsilon" -libfile /usr/lib/libepsilon.so

Identify the new HSM slot name.

modutil -dbdir . -nocertdb -list

This lists the slots rho, tau, and phi. The phi slot is used for the OCSP.

Create new security databases.

certutil -N -d .

Import the public/private key pairs of each entry from the PKCS #12 files into the new HSM.

pk12util -i ServerCert.p12 -d . -h phi

Enter Password or Pin for "phi":********
Enter password for PKCS12 file: ********
pk12util: PKCS12 IMPORT SUCCESSFUL

pk12util -i ocspSigningCert.p12 -d . -h phi

Enter Password or Pin for "phi":********
Enter password for PKCS12 file: ********
pk12util: PKCS12 IMPORT SUCCESSFUL

Optionally, delete the PKCS #12 files.

rm ServerCert.p12

rm ocspSigningCert.p12

Set the trust bits on the public/private key pairs that were imported into the new HSM.

certutil -M -n "phi:Server-Cert cert-ocsp" -t "cu,cu,cu" -d . -h epsilon

certutil -M -n "phi:ocspSigningCert cert-ocsp" -t "cu,cu,cu" -d . -h epsilon

Import the public key from the base-64 file into the new HSM, and set the trust bits.

certutil -A -n "phi:caSigningCert cert-ocsp" -t "CT,c," 
-d . -h epsilon -i caSigningCert.b64

Optionally, delete the base-64 file.

rm caSigningCert.b64

Open the CS.cfg configuration file.

cd /var/lib/rhpki-ocsp/conf

vi CS.cfg

Edit the ocsp.signing.certnickname attribute to reflect the new OCSP information.

ocsp.signing.certnickname=phi:ocspSigningCert cert-ocsp

In the same directory, edit the serverCertNick.conf file to contain the old certificate nickname. For example:

vi serverCertNick.conf

phi:Server-Cert cert-ocsp