Extract the public/private key pairs from the HSM. The format for the extracted key pairs should be portable, such as a PKCS #12 file.

The pk12util tool provided by the Certificate System cannot extract public/private key pairs from an HSM because of requirements in the FIPS 140-1 standard which protect the private key portion of an entry. To extract this information, contact the HSM vendor for more information. The extracted keys should not have any dependencies, such as nickname prefixes, on the HSM.

Copy the extracted public/private key pairs from the old server to the new server.

cp old_server_root/alias/ServerCert.p12 
/var/lib/instance_ID/alias/ServerCert.p12

cp old_server_root/alias/caSigningCert.p12 
/var/lib/instance_ID/alias/caSigningCert.p12

cp old_server_root/alias/ocspSigningCert.p12 
/var/lib/instance_ID/alias/ocspSigningCert.p12

cp old_server_root/alias/subsystemCert.p12
 /var/lib/instance_ID/alias/subsystemCert.p12

Log into the new server as the Certificate System user, and open the Certificate System alias/ directory.

cd /var/lib/instance_ID/alias/

Log in as root, and set the file user and group to the Certificate System user and group.

su

chown user:group ServerCert.p12

chown user:group caSigningCert.p12

chown user:group ocspSigningCert.p12

chown user:group subsystemCert.p12

Log out as root. As the Certificate System user, set the file permissions.

chmod 00600 ServerCert.p12

chmod 00600 caSigningCert.p12

chmod 00600 ocspSigningCert.p12

chmod 00600 subsystemCert.p12

Register the new HSM in the new token database.

modutil -nocertdb -dbdir . -add new_HSM_token_name -libfile new_HSM_library_path/new_HSM_library

Identify the new HSM slot name.

modutil -dbdir . -nocertdb -list

Import the public/private key pairs of each entry from the PKCS #12 files into the new HSM.

pk12util -i ServerCert.p12 -d . -h new_HSM_slot_name

Enter Password or Pin for "new_HSM_slot_name":********
Enter password for PKCS12 file: ********
pk12util: PKCS12 IMPORT SUCCESSFUL

pk12util -i caSigningCert.p12 -d . -h new_HSM_slot_name

Enter Password or Pin for "new_HSM_slot_name":********
Enter password for PKCS12 file: ********
pk12util: PKCS12 IMPORT SUCCESSFUL

pk12util -i ocspSigningCert.p12 -d . -h new_HSM_slot_name

Enter Password or Pin for "new_HSM_slot_name":********
Enter password for PKCS12 file: ********
pk12util: PKCS12 IMPORT SUCCESSFUL

pk12util -i subsystemCert.p12 -d . -h new_HSM_slot_name

Enter Password or Pin for "new_HSM_slot_name":********
Enter password for PKCS12 file: ********
pk12util: PKCS12 IMPORT SUCCESSFUL

Optionally, delete the PKCS #12 files.

rm ServerCert.p12

rm caSigningCert.p12

rm ocspSigningCert.p12

rm subsystemCert.p12

Set the trust bits on the public/private key pairs that were imported into the new HSM.

certutil -M -n "new_HSM_slot_name:Server-Cert cert-old_CA_instance" 
-t "cu,cu,cu" -d . -h new_HSM_token_name

certutil -M -n "new_HSM_slot_name:caSigningCert cert-old_CA_instance" 
-t "CTu,CTu,CTu" -d . -h new_HSM_token_name

certutil -M -n "new_HSM_slot_name:ocspSigningCert cert-old_CA_instance" 
-t "CTu,Cu,Cu" -d . -h new_HSM_token_name

certutil -M -n "new_HSM_slot_name:subsystemCert cert-old_CA_instance" 
-t "cu,cu,cu" -d . -h new_HSM_token_name"

Open the CS.cfg configuration file.

cd /var/lib/instance_ID/conf/

vi CS.cfg

Edit the ca.signing.cacertnickname and ca.ocsp_signing.cacertnickname attributes to reflect the new subsystem information.

ca.signing.cacertnickname=
 new_HSM_slot_name:caSigningCert cert-old_CA_instance
ca.ocsp_signing.cacertnickname=
 new_HSM_slot_name:ocspSigningCert cert-old_CA_instance

If there is CA-DRM connectivity, then also modify the ca.connector.KRA.nickname attribute.

ca.connector.KRA.nickname=new_HSM_slot_name:caSigningCert cert-old_CA_instance

In the same directory, edit the serverCertNick.conf file to contain the old certificate nickname. For example:

vi serverCertNick.confnew_HSM_slot_name:Server-Cert cert-old_CA_instance