Remove all the security databases in the new Certificate System which will receive migrated data.

rm /var/lib/instance_ID/alias/cert8.db

rm /var/lib/instance_ID/alias/key3.db

Copy the certificate and key security databases from the old server to the new server.

cp old_server_root/cert-old_CA_instance/config/cert-old_CA_instance-cert7.db 
/var/lib/instance_ID/alias/cert7.db

cp old_server_root/cert-old_CA_instance/config/cert-old_CA_instance-key3.db 
/var/lib/instance_ID/alias/key3.db

Log into the new Certificate System server as the Certificate System user, and open the alias/ directory.

cd /var/lib/instance_ID/alias/

Log in as root, and set the file user and group to the Certificate System user and group.

su

chown user:group cert7.db

chown user:group key3.db

Log out as root. As the Certificate System user, set the file permissions on the certificate and key databases.

chmod 00600 cert7.db

chmod 00600 key3.db

Use the certutil tool to list all of the old certificates. In this example, -L lists the certificates, and -X forces them to be read/write.

certutil -L -X -d . 

Server-Cert cert-old_CA_instance cu,cu,cu 
caSigningCert cert-old_CA_instance cu,cu,cu 
ocspSigningCert cert-old_CA_instance CTu,Cu,Cu

Remove the cert7.db database from the alias/ directory.

rm cert7.db

Open the CS.cfg configuration file.

cd /var/lib/instance_ID/conf/

vi CS.cfg

Edit the ca.signing.cacertnickname and ca.ocsp_signing.cacertnickname attributes to reflect the new CA information.

ca.signing.cacertnickname=
 caSigningCert cert-old_CA_instance
ca.ocsp_signing.cacertnickname=
 ocspSigningCert cert-old_CA_instance

If there is CA-DRM connectivity, then also edit the ca.connector.KRA.nickname attribute to reflect the new CA certificate information.

ca.connector.KRA.nickname=caSigningCert cert-old_CA_instance

In the same directory, edit the serverCertNick.conf file to contain the old certificate nickname. For example:

vi serverCertNick.conf

Server-Cert cert-old_CA_instance