Extract the public/private key pairs from the HSM. The format for the extracted key pairs should be portable, such as a PKCS #12 file.

The pk12util tool provided by the Certificate System cannot extract public/private key pairs from an HSM because of requirements in the FIPS 140-1 standard which protect the private key portion of an entry. To extract this information, contact the HSM vendor for more information. The extracted keys should not have any dependencies, such as nickname prefixes, on the HSM.

Copy the extracted public/private key pairs from the old server to the new server.

cp old_server_root/alias/ServerCert.p12 
/var/lib/instance_ID/alias/ServerCert.p12

cp old_server_root/alias/kraStorageCert.p12 
/var/lib/instance_ID/alias/kraStorageCert.p12

cp old_server_root/alias/kraTransportCert.p12 
/var/lib/instance_ID/alias/kraTransportCert.p12

Extract the public key of the old_HSM_slot_name:caSigningCert cert-old_DRM_instance from the old security databases and save the base-64 encoded output to a file called caSigningCert.b64:

cd old_server_root/alias

Set the LD_LIBRARY_PATH environment variable to search the Certificate System libraries.

LD_LIBRARY_PATH=old_server_root/bin/cert/lib

export LD_LIBRARY_PATH

Use the old Certificate System certutil tool to identify the old HSM slot name:

old_server_root/bin/cert/tools/certutil -U -d .

Use the old certutil tool to extract the public key from the security databases and save the base-64 output to a file:

old_server_root/bin/cert/tools/certutil -L
 -n "old_HSM_slot_name:caSigningCert cert-old_DRM_instance"
 -d . -h old_HSM_token_name -a > caSigningCert.b64

Copy the key information from the old server to the new server.

cp old_server_root/alias/caSigningCert.b64 
/var/lib/instance_ID/alias/caSigningCert.b64

Log into the new server as the Certificate System user, and open the Certificate System alias/ directory.

cd /var/lib/instance_ID/alias/

Log in as root, and set the file user and group to the Certificate System user and group.

su

chown user:group ServerCert.p12

chown user:group kraStorageCert.p12

chown user:group kraTransportCert.p12

chown user:group caSigningCert.b64

Log out as root. As the Certificate System user, change the permissions on the files.

chmod 00600 ServerCert.p12

chmod 00600 kraStorageCert.p12

chmod 00600 kraTransportCert.p12

chmod 00600 caSigningCert.b64

Import the public/private key pairs of each entry from the PKCS #12 files into the new security databases.

pk12util -i ServerCert.p12 -d . 

Enter Password or Pin for "NSS Certificate DB":********
Enter password for PKCS12 file: ********
pk12util: PKCS12 IMPORT SUCCESSFUL

pk12util -i kraStorageCert.p12 -d . 

Enter Password or Pin for "NSS Certificate DB":********
Enter password for PKCS12 file: ********
pk12util: PKCS12 IMPORT SUCCESSFUL

pk12util -i kraTransportCert.p12 -d . 

Enter Password or Pin for "NSS Certificate DB":********
Enter password for PKCS12 file: ********
pk12util: PKCS12 IMPORT SUCCESSFUL

Optionally, delete the PKCS #12 files.

rm ServerCert.p12

rm kraStorageCert.p12

rm kraTransportCert.p12

Set the trust bits on the public/private key pairs that were imported into the new security databases.

certutil -M -n "Server-Cert cert-old_DRM_instance" 
-t "cu,cu,cu" -d .

certutil -M -n "kraStorageCert cert-old_DRM_instance" 
-t "u,u,u" -d .

certutil -M -n "kraTransportCert cert-old_DRM_instance" 
-t "u,u,u" -d . 

Import the public key from the base-64 file, and set the trust bits.

certutil -A -n "caSigningCert cert-old_DRM_instance"
 -t "CT,c," -d . -i caSigningCert.b64

Optionally, delete the base-64 file.

rm caSigningCert.b64

Open the CS.cfg configuration file.

cd /var/lib/instance_ID/conf

Edit the kra.storageUnit.nickname and kra.transportUnit.nickname attributes to reflect the new subsystem information.

kra.storageUnit.nickname=
 kraStorageCert cert-old_DRM_instance
kra.transportUnit.nickname=
 kraTransportCert cert-old_DRM_instance

In the same directory, edit the serverCertNick.conf file to contain the old certificate nickname. For example:

vi serverCertNick.conf

Server-Cert cert-old_DRM_instance