7.1.3. Case III: HSM to Security Databases Migration

7.1.3. Case III: HSM to Security Databases Migration

  1. Extract the public/private key pairs from the HSM. The format for the extracted key pairs should be portable, such as a PKCS #12 file.

    The pk12util tool provided by the Certificate System cannot extract public/private key pairs from an HSM because of requirements in the FIPS 140-1 standard which protect the private key portion of an entry. To extract this information, contact the HSM vendor for more information. The extracted keys should not have any dependencies, such as nickname prefixes, on the HSM.

  2. Copy this PKCS #12 file from the old server to the new server. 

    cp old_server_root/cert-old_CA_instance/config/ServerCert.p12 
/var/lib/instance_ID/alias/ServerCert.p12

cp old_server_root/cert-old_CA_instance/config/caSigningCert.p12 
/var/lib/instance_ID/alias/caSigningCert.p12

  3. Log into the new server machine as the Certificate System user account. Open the new server alias/ directory. 

    cd /var/lib/instance_ID/alias/

  4. Log in as root and change the file user and group to the Certificate System user and group. 

    su

chown user:group ServerCert.p12

chown user:group caSigningCert.p12

  5. Log out as root. As the regular Certificate System user, change the permissions on the key pair files. 

    chmod 00600 ServerCert.p12

chmod 00600 caSigningCert.p12

  6. Import the public/private key pairs from the PKCS #12 files into the security databases; -i imports the designated file. 

    pk12util -i ServerCert.p12 -d . 

Enter Password or Pin for "NSS Certificate DB":********
Enter password for PKCS12 file: ********
pk12util: PKCS12 IMPORT SUCCESSFUL

pk12util -i caSigningCert.p12 -d .

Enter Password or Pin for "NSS Certificate DB":********
Enter password for PKCS12 file: ********
pk12util: PKCS12 IMPORT SUCCESSFUL

  7. Optionally, delete the PKCS #12 files from the alias/ directory. 

    rm ServerCert.p12

rm caSigningCert.p12

  8. Set the trust bits on the public/private key pairs that were imported into the new security databases; -t sets the trust. 

    certutil -M -n "Server-Cert cert-old_CA_instance" -t "cu,cu,cu" -d . 

certutil -M -n "caSigningCert cert-old_CA_instance" -t "CTu,CTu,CTu" -d .

  9. Open the new CA instance's CS.cfg file. 

    cd /var/lib/instance_ID/conf/

vi CS.cfg

  10. Edit the ca.signing.cacertnickname and ca.ocsp_signing.cacertnickname attributes to reflect the new CA instance directory. 

    ca.signing.cacertnickname=
 caSigningCert cert-old_CA_instance
ca.ocsp_signing.cacertnickname=
 caSigningCert cert-old_CA_instance

  11. In the same directory, edit the serverCertNick.conf file to contain the old certificate nickname. For example: 

    vi serverCertNick.conf

Server-Cert cert-old_CA_instance