Remove all the security databases in the new Certificate System which will receive migrated data.

rm /var/lib/instance_ID/alias/cert8.db

rm /var/lib/instance_ID/alias/key3.db

Copy the certificate and key security databases from the old server to the new server.

cp old_server_root/alias/cert-old_DRM_instance-cert8.db 
/var/lib/instance_ID/alias/cert8.db

cp old_server_root/alias/cert-old_DRM_instance-key3.db 
/var/lib/instance_ID/alias/key3.db

Log into the new server as the Certificate System user, and open the Certificate System alias/ directory.

cd /var/lib/instance_ID/alias/

Log in as root, and set the file user and group to the Certificate System user and group.

su

chown user:group cert8.db

chown user:group key3.db

Log out as root. As the Certificate System user, set the file permissions.

chmod 00600 cert8.db

chmod 00600 key3.db

List the certificates in the old security databases by using the certutil tool. In this example, -L lists the certificates.

certutil -L -d . 

Server-Cert cert-old_DRM_instance cu,cu,cu 
caSigningCert cert-old_DRM_instance CT,c, 
kraStorageCert cert-old_DRM_instance u,u,u 
kraTransportCert cert-old_DRM_instance u,u,u

Open the CS.cfg configuration file.

cd /var/lib/instance_ID/conf/

vi CS.cfg

Edit the kra.storageUnit.nickname and kra.transportUnit.nickname attribute to reflect the new DRM instance.

kra.storageUnit.nickname=
 kraStorageCert cert-old_DRM_instance
kra.transportUnit.nickname=
 kraTransportCert cert-old_DRM_instance

In the same directory, edit the serverCertNick.conf file to contain the old certificate nickname. For example:

vi serverCertNick.conf

Server-Cert cert-old_DRM_instance