Remove all the security databases in the new Certificate System which will receive migrated data.

rm /var/lib/instance_ID/alias/cert8.db
rm /var/lib/instance_ID/alias/key3.db

Copy the certificate and key security databases from the old server to the new server.

cp old_server_root/cert-old_CA_instance/config/cert-old_CA_instance-cert7.db /var/lib/instance_ID/alias/cert7.db

cp old_server_root/cert-old_CA_instance/config/cert-old_CA_instance-key3.db 
/var/lib/instance_ID/alias/key3.db

As the Certificate System user account, open the new Certificate System's alias/ directory.

cd /var/lib/instance_ID/alias/

Log in as root, and set the file user and group to the user and group as whom the Certificate System runs.

su
chown user:group cert7.db
chown user:group key3.db

Log out as root. As the Certificate System user, set the permissions on the security database files.

chmod 00600 cert7.db
chmod 00600 key3.db

Use the certutil tool to list all of the old Certificate Management System certificates. In this example, -L lists the certificates, and -X forces them to be read/write.

certutil -L -X -d .

Server-Cert cert-old_CA_instance cu,cu,cu 
caSigningCert cert-old_CA_instance cu,cu,cu

Export the public/private key pairs of each entry in the Certificate System databases using the pk12util tool; -o exports the key pairs to a PKCS #12 file, and -n sets the name of the certificate and the old database prefix.

pk12util -o ServerCert.p12 -n "Server-Cert cert-old_CA_instance" -d .

Enter Password or Pin for "NSS Certificate DB":********
Enter password for PKCS12 file: ********
Re-enter password: ********
pk12util: PKCS12 EXPORT SUCCESSFUL

pk12util -o caSigningCert.p12 -n "caSigningCert cert-old_CA_instance" -d .

Enter Password or Pin for "NSS Certificate DB":********
Enter password for PKCS12 file: ********
Re-enter password: ********
pk12util: PKCS12 EXPORT SUCCESSFUL

Remove the security databases from the alias/ directory.

rm cert7.db
rm cert8.db
rm key3.db

Register the new HSM in the new token database.

modutil -nocertdb -dbdir . -add new_HSM_token_name
 -libfile new_HSM_library_path/new_HSM_library

Identify the new HSM slot name.

modutil -dbdir . -nocertdb -list

Create new security databases.

certutil -N -d .

Import the public/private key pairs for each entry from the PKCS #12 files into the new HSM; -i imports the specified file, and -h sets the name for the new HSM.

pk12util -i ServerCert.p12 -d . -h new_HSM_slot_name

Enter Password or Pin for "new_HSM_slot_name":********
Enter password for PKCS12 file: ********
pk12util: PKCS12 IMPORT SUCCESSFUL

pk12util -i caSigningCert.p12 -d . -h new_HSM_slot_name

Enter Password or Pin for "new_HSM_slot_name":********
Enter password for PKCS12 file: ********
pk12util: PKCS12 IMPORT SUCCESSFUL

Optionally, delete the PKCS #12 files from the alias/ directory.

rm ServerCert.p12

rm caSigningCert.p12

Set the trust bits on the public/private key pairs that were imported into the new HSM; -t sets the trust.

certutil -M -n "new_HSM_slot_nameServer-Cert cert-old_CA_instance" -t "cu,cu,cu" 
-d . -h new_HSM_token_name

certutil -M -n "new_HSM_slot_name:caSigningCert cert-old_CA_instance" 
-t "CTu,CTu,CTu" -d . -h new_HSM_token_name

Open the CS.cfg configuration file in the new CA instance directory.

cd /var/lib/instance_ID/conf/

vi CS.cfg

Modify the value for the ca.signing.cacertnickname and ca.ocsp_signing.cacertnickname attributes to reflect the new HSM information.

ca.signing.cacertnickname=
 new_HSM_slot_name:caSigningCert cert-old_CA_instance

ca.ocsp_signing.cacertnickname=
 new_HSM_slot_name:caSigningCert cert-old_CA_instance

In the same directory, edit the serverCertNick.conf file to contain the old certificate nickname. For example:

vi serverCertNick.confnew_HSM_slot_name:Server-Cert cert-old_CA_instance