7.5.3.4. Case IV: HSM to HSM Migration
Extract the public/private key pairs from the HSM. The format for the extracted key pairs should be portable, such as a PKCS #12 file.
The pk12util tool provided by the Certificate System cannot extract public/private key pairs from an HSM because of requirements in the FIPS 140-1 standard which protect the private key portion of an entry. To extract this information, contact the HSM vendor for more information. The extracted keys should not have any dependencies, such as nickname prefixes, on the HSM.
Copy the extracted key pairs from the old server to the new server.
cp old_server_root/alias/ServerCert.p12 /var/lib/instance_ID/alias/ServerCert.p12 cp old_server_root/alias/ocspSigningCert.p12 /var/lib/instance_ID/alias/ocspSigningCert.p12
Extract the public key of the old_HSM_slot_name:caSigningCert cert-old_OCSP_instance from the old security databases and save the base-64 encoded output to a file called caSigningCert.b64.
Open the old Certificate System alias/ directory.
cd old_server_root/alias
Set the LD_LIBRARY_PATH environment variable to search the Certificate System libraries.
LD_LIBRARY_PATH=old_server_root/bin/cert/lib export LD_LIBRARY_PATH
Use the old Certificate System certutil tool to identify the old HSM slot name.
old_server_root/bin/cert/tools/certutil -U -d .
Use the old Certificate System certutil tool to extract the public key from the security databases and save the base-64 output to a file.
old_server_root/bin/cert/tools/certutil -L -n "old_HSM_slot_name:caSigningCert cert-old_OCSP_instance" -d . -h old_HSM_token_name -a > caSigningCert.b64
Copy the key information from the old server to the new server.
cp old_server_root/alias/caSigningCert.b64 /var/lib/instance_ID/alias/caSigningCert.b64
Log into the new server as the Certificate System user, and open the Certificate System alias/ directory.
cd /var/lib/instance_ID/alias/
Log in as root, and set the file user and group to the Certificate System user and group.
su chown user:group ServerCert.p12 chown user:group ocspSigningCert.p12 chown user:group caSigningCert.b64
Log out as root. As the Certificate System user, set the file permissions.
chmod 00600 ServerCert.p12 chmod 00600 ocspSigningCert.p12 chmod 00600 caSigningCert.b64
Register the new HSM in the new token database.
modutil -nocertdb -dbdir . -add new_HSM_token_name -libfile new_HSM_library_path/new_HSM_library
Identify the new HSM slot name.
modutil -dbdir . -nocertdb -list
Import the public/private key pairs of each entry from the PKCS #12 files into the new HSM.
pk12util -i ServerCert.p12 -d . -h new_HSM_slot_name Enter Password or Pin for "new_HSM_slot_name":******** Enter password for PKCS12 file: ******** pk12util: PKCS12 IMPORT SUCCESSFUL pk12util -i ocspSigningCert.p12 -d . -h new_HSM_slot_name Enter Password or Pin for "new_HSM_slot_name":******** Enter password for PKCS12 file: ******** pk12util: PKCS12 IMPORT SUCCESSFUL
Optionally, delete the PKCS #12 files.
rm ServerCert.p12 rm ocspSigningCert.p12
Set the trust bits on the public/private key pairs that were imported into the new HSM.
certutil -M -n "new_HSM_slot_name:Server-Cert cert-old_OCSP_instance -t "cu,cu,cu" -d . -h new_HSM_token_name certutil -M -n "new_HSM_slot_name:ocspSigningCert cert-old_OCSP_instance" -t "cu,cu,cu" -d . -h new_HSM_token_name
Import the public key from the base-64 file into the new HSM, and set the trust bits.
certutil -A -n "new_HSM_slot_name:caSigningCert cert-old_OCSP_instance" -t "CT,c," -d . -h new_HSM_token_name -i caSigningCert.b64
Optionally, delete the base-64 file.
rm caSigningCert.b64
Open the CS.cfg configuration file.
cd /var/lib/instance_ID/conf
Edit the ocsp.signing.certnickname attribute to reflect the new subsystem information.
ocsp.signing.certnickname=new_HSM_slot_name:ocspSigningCert cert-old_OCSP_instance
In the same directory, edit the serverCertNick.conf file to contain the old certificate nickname. For example:
vi serverCertNick.confnew_HSM_slot_name:Server-Cert cert-old_OCSP_instance