7.2. Certificate Management System 4.2

7.2. Certificate Management System 4.2

There are two subsystems that can be migrated from Certificate Management System 4.2 to a later version of the Certificate System: the Certificate Authority (CA) subsystem and the Data Recovery Manager (DRM) subsystem. Each subsystem has different migration procedures.

7.2.1. 4.2 Certificate Authority (CA) Migration

Determine if the Certificate Authority (CA) being migrated uses security databases, HSM, or both. There are four possible migration scenarios; follow the appropriate process for the deployment scenario being migrated.

7.2.1.1. Case I: Security Databases to Security Databases Migration

  1. Remove all the security databases in the new Certificate System which will receive migrated data. 

    rm /var/lib/instance_ID/alias/cert8.db

rm /var/lib/instance_ID/alias/key3.db

  2. Copy the certificate and key security databases from the old server to the new server. 

    cp old_server_root/cert-old_CA_instance/config/cert-old_CA_instance-cert7.db 
/var/lib/instance_ID/alias/cert7.db

cp old_server_root/cert-old_CA_instance/config/cert-old_CA_instance-key3.db 
/var/lib/instance_ID/alias/key3.db

  3. Log into the new server machine as the Certificate System user account. Open the new Certificate System's alias/ directory. 

    cd /var/lib/instance_ID/alias/

  4. Log in as root, and set the file owner to the Certificate System user and group. 

    su

chown user:group cert7.db

chown user:group key3.db

  5. Log out as root. As the Certificate System user, set the file permissions for the security databases. 

    chmod 00600 cert7.db

chmod 00600 key3.db

  6. Use the certutil tool to list all of the old Certificate Management System certificates. In this example, -L lists the certificates, and -X forces them to be read/write. 

    certutil -L -X -d . 

Server-Cert cert-old_CA_instance cu,cu,cu 
caSigningCert cert-old_CA_instance cu,cu,cu

    NOTE

    The certificate database is automatically converted from cert7.db to cert8.db.

  7. Remove the old cert7.db file. 

    rm cert7.db

  8. Open the CS.cfg configuration file in the CA instance directory. 

    cd /var/lib/instance_ID/conf/

vi CS.cfg

  9. Modify the values for the ca.signing.cacertnickname and ca.ocsp_signing.cacertnickname attributes to reflect the new CA instance prefix. 

    ca.signing.cacertnickname=
 caSigningCert cert-old_CA_instance	
ca.ocsp_signing.cacertnickname=
 caSigningCert cert-old_CA_instance

  10. If there is CA-DRM connectivity, then also modify the value of the ca.connector.KRA.nickname attribute. 

    ca.connector.KRA.nickname=caSigningCert cert-old_CA_instance

  11. In the same directory, edit the serverCertNick.conf file to contain the old certificate nickname. For example: 

    vi serverCertNick.conf

Server-Cert cert-old_CA_instance

7.2.1.2. Case II: Security Databases to HSM Migration

  1. Remove all the security databases in the new Certificate System which will receive migrated data. 

    rm /var/lib/instance_ID/alias/cert8.db

rm /var/lib/instance_ID/alias/key3.db

  2. Copy the certificate and key security databases from the old server to the new server. 

    cp old_server_root/cert-old_CA_instance/config/cert-old_CA_instance-cert7.db 
/var/lib/instance_ID/alias/cert7.db

cp old_server_root/cert-old_CA_instance/config/cert-old_CA_instance-key3.db 
/var/lib/instance_ID/alias/key3.db

  3. Log into the new server as the Certificate System user, and open the new Certificate System alias/ directory. 

    cd /var/lib/instance_ID/alias/

  4. Log in as root, and set the file owner to the Certificate System user and group. 

    su

chown user:group cert7.db

chown user:group key3.db

  5. Log out as root. As the Certificate System user, edit the file permissions on the security databases. 

    chmod 00600 cert7.db

chmod 00600 key3.db

  6. Use the certutil tool to list all of the old Certificate Management System certificates. In this example, -L lists the certificates, and -X forces them to be read/write. 

    certutil -L -X -d .

Server-Cert cert-old_CA_instance cu,cu,cu 
caSigningCert cert-old_CA_instance cu,cu,cu

    NOTE

    The certificate database is automatically converted from cert7.db to cert8.db.

  7. Export the public/private key pairs of each entry in the old security databases; -o exports the key pairs, and -n sets the name of the file to which to export them. 

    pk12util -o ServerCert.p12 -n "Server-Cert cert-old_CA_instance" -d .

Enter Password or Pin for "NSS Certificate DB":********
Enter password for PKCS12 file: ********
Re-enter password: ********
pk12util: PKCS12 EXPORT SUCCESSFUL

pk12util -o caSigningCert.p12 -n "caSigningCert cert-old_CA_instance" -d .

Enter Password or Pin for "NSS Certificate DB":********
Enter password for PKCS12 file: ********
Re-enter password: ********
pk12util: PKCS12 EXPORT SUCCESSFUL

    NOTE

    The old security databases may contain additional public/private key pairs; these may also need to be exported using pk12util.

  8. Remove the old security databases from the alias/ directory. 

    rm cert7.db

rm cert8.db

rm key3.db

  9. Register the new HSM in the new token database. 

    modutil -nocertdb -dbdir . -add new_HSM_token_name -libfile 
new_HSM_library_path/new_HSM_library

  10. Identify the new HSM slot name. 

    modutil -dbdir . -nocertdb -list

  11. Create new security databases. 

    certutil -N -d .

  12. Import the public/private key pairs in the PKCS #12 files into the new HSM. 

    pk12util -i ServerCert.p12 -d . -h new_HSM_slot_name

Enter Password or Pin for "new_HSM_slot_name":********
Enter password for PKCS12 file: ********
pk12util: PKCS12 IMPORT SUCCESSFUL

pk12util -i caSigningCert.p12 -d . -h new_HSM_slot_name

Enter Password or Pin for "new_HSM_slot_name":********
Enter password for PKCS12 file: ********
pk12util: PKCS12 IMPORT SUCCESSFUL

  13. Optionally, delete the PKCS #12 files. 

    rm ServerCert.p12

rm caSigningCert.p12

  14. Set the trust bits on the public/private key pairs that were imported into the new HSM. 

    certutil -M -n "new_HSM_slot_name:Server-Cert cert-old_CA_instance" 
-t "cu,cu,cu" -d . -h new_HSM_token_name

certutil -M -n "new_HSM_slot_name:caSigningCert cert-old_CA_instance" 
-t "CTu,CTu,CTu" -d . -h new_HSM_token_name

  15. Open the CS.cfg configuration file. 

    cd /var/lib/instance_ID/conf/

vi CS.cfg

  16. Modify the ca.signing.cacertnickname and ca.ocsp_signing.cacertnickname attributes to reflect the new HSM information. 

    ca.signing.cacertnickname=
 new_HSM_slot_name:caSigningCert cert-old_CA_instance
ca.ocsp_signing.cacertnickname=
 new_HSM_slot_name:caSigningCert cert-old_CA_instance

  17. If there is CA-DRM connectivity, then modify the ca.connector.KRA.nickname attribute value. 

    ca.connector.KRA.nickname=new_HSM_slot_name:caSigningCert cert-old_CA_instance

  18. In the same directory, edit the serverCertNick.conf file to contain the old certificate nickname. For example: 

    vi serverCertNick.conf

new_HSM_slot_name:Server-Cert cert-old_CA_instance

7.2.1.3. Case III: HSM to Security Databases Migration

  1. Extract the public/private key pairs from the HSM. The format for the extracted key pairs should be portable, such as a PKCS #12 file.

    The pk12util tool provided by the Certificate System cannot extract public/private key pairs from an HSM because of requirements in the FIPS 140-1 standard which protect the private key portion of an entry. To extract this information, contact the HSM vendor for more information. The extracted keys should not have any dependencies, such as nickname prefixes, on the HSM.

  2. Copy the extracted data from the old server to the new server. 

    cp old_server_root/cert-old_CA_instance/config/ServerCert.p12 
/var/lib/instance_ID/alias/ServerCert.p12

cp old_server_root/cert-old_CA_instance/config/caSigningCert.p12 
/var/lib/instance_ID/alias/caSigningCert.p12

  3. Log in to the new server machine as the Certificate System user account. Open the alias/ directory. 

    cd /var/lib/instance_ID/alias/

  4. Log in as root, and set the file user and group to the Certificate System user and group. 

    su

chown user:group ServerCert.p12

chown user:group caSigningCert.p12

  5. Log out as root. As the Certificate System user, set the file permissions on the key pair files. 

    chmod 00600 ServerCert.p12

chmod 00600 caSigningCert.p12

  6. Import the public/private key pairs in the PKCS #12 files into the new server's security databases. 

    pk12util -i ServerCert.p12 -d .

Enter Password or Pin for "NSS Certificate DB":********
Enter password for PKCS12 file: ********
pk12util: PKCS12 IMPORT SUCCESSFUL

pk12util -i caSigningCert.p12 -d .

Enter Password or Pin for "NSS Certificate DB":********
Enter password for PKCS12 file: ********
pk12util: PKCS12 IMPORT SUCCESSFUL

  7. Optionally, delete the PKCS #12 files. 

    rm ServerCert.p12

rm caSigningCert.p12

  8. Set the trust bits on the public/private key pairs that were imported into the security databases. 

    certutil -M -n "Server-Cert cert-old_CA_instance" -t "cu,cu,cu" -d .

certutil -M -n "caSigningCert cert-old_CA_instance" -t "CTu,CTu,CTu" -d .

  9. Open the CS.cfg configuration file. 

    cd /var/lib/instance_ID/conf/

vi CS.cfg

  10. Edit the ca.signing.cacertnickname and ca.ocsp_signing.cacertnickname attributes to reflect the new CA instance. 

    ca.signing.cacertnickname=
 caSigningCert cert-old_CA_instance
ca.ocsp_signing.cacertnickname=
 caSigningCert cert-old_CA_instance

  11. If there is CA-DRM connectivity, then modify the ca.connector.KRA.nickname attribute, as well. 

    ca.connector.KRA.nickname=caSigningCert cert-old_CA_instance

  12. In the same directory, edit the serverCertNick.conf file to contain the old certificate nickname. For example: 

    vi serverCertNick.conf

Server-Cert cert-old_CA_instance

7.2.1.4. Case IV: HSM to HSM Migration

  1. Extract the public/private key pairs from the HSM. The format for the extracted key pairs should be portable, such as a PKCS #12 file.

    The pk12util tool provided by the Certificate System cannot extract public/private key pairs from an HSM because of requirements in the FIPS 140-1 standard which protect the private key portion of an entry. To extract this information, contact the HSM vendor for more information. The extracted keys should not have any dependencies, such as nickname prefixes, on the HSM.

  2. Copy the extracted key pairs from the old server to the new server. 

    cp old_server_root/cert-old_CA_instance/config/ServerCert.p12 
/var/lib/instance_ID/alias/ServerCert.p12

cp old_server_root/cert-old_CA_instance/config/caSigningCert.p12 
/var/lib/instance_ID/alias/caSigningCert.p12

  3. Log in to the new server as the Certificate System user, and open the alias/ directory. 

    cd /var/lib/instance_ID/alias/

  4. Log in as root and set the file user and group to the Certificate System user and group. 

    su

chown user:group ServerCert.p12

chown user:group caSigningCert.p12

  5. Log out as root. As the Certificate System user, set the file permissions on the key pair files. 

    chmod 00600 ServerCert.p12

chmod 00600 caSigningCert.p12

  6. Register the new HSM in the new token database. 

    modutil -nocertdb -dbdir . -add new_HSM_token_name -libfile 
new_HSM_library_path/new_HSM_library

  7. Identify the new HSM slot name. 

    modutil -dbdir . -nocertdb -list

  8. Import the public/private key pairs from the PKCS #12 files into the new HSM. 

    pk12util -i ServerCert.p12 -d . -h new_HSM_slot_name

Enter Password or Pin for "new_HSM_slot_name":********
Enter password for PKCS12 file: ********
pk12util: PKCS12 IMPORT SUCCESSFUL

pk12util -i caSigningCert.p12 -d . -h new_HSM_slot_name

Enter Password or Pin for "new_HSM_slot_name":********
Enter password for PKCS12 file: ********
pk12util: PKCS12 IMPORT SUCCESSFUL

  9. Optionally, delete the PKCS #12 files. 

    rm ServerCert.p12

rm caSigningCert.p12

  10. Set the trust bits on the public/private key pairs that were imported into the new HSM. 

    certutil -M -n "new_HSM_slot_name:Server-Cert cert-old_CA_instance"
 -t "cu,cu,cu" -d . -h new_HSM_token_name

certutil -M -n "new_HSM_slot_name:caSigningCert cert-old_CA_instance"
 -t "CTu,CTu,CTu" -d . -h new_HSM_token_name

  11. Open the new CA instance CS.cfg configuration file. 

    cd /var/lib/instance_ID/conf/

  12. Edit the ca.signing.cacertnickname and ca.ocsp_signing.cacertnickname attributes to reflect the new HSM information. 

    ca.signing.cacertnickname=
 new_HSM_slot_name:caSigningCert cert-old_CA_instance
ca.ocsp_signing.cacertnickname=
 new_HSM_slot_name:caSigningCert cert-old_CA_instance

  13. If there is CA-DRM connectivity, then also modify the ca.connector.KRA.nickname. 

    ca.connector.KRA.nickname=new_HSM_slot_name:caSigningCert cert-old_CA_instance

  14. In the same directory, edit the serverCertNick.conf file to contain the old certificate nickname. For example: 

    vi serverCertNick.conf

new_HSM_slot_name:Server-Cert cert-old_CA_instance

7.2.2. 4.2 Data Recovery Manager (DRM) Migration

Determine if the Certificate Management System 4.2 Data Recovery Manager (DRM) being migrated uses security databases, HSM, or both. There are four possible migration scenarios; follow the appropriate process for the deployment scenario being migrated.

7.2.2.1. Case I: Security Databases to Security Databases Migration

  1. Remove all the security databases in the new Certificate System which will receive migrated data. 

    rm /var/lib/instance_ID/alias/cert8.db

rm /var/lib/instance_ID/alias/key3.db

  2. Copy the certificate and key security databases from the old server to the new server. 

    cp old_server_root/cert-old_DRM_instance/config/cert-old_DRM_instance-cert7.db 
/var/lib/instance_ID/alias/cert7.db

cp old_server_root/cert-old_DRM_instance/config/cert-old_DRM_instance-key3.db 
/var/lib/instance_ID/alias/key3.db

  3. Log into the new server as the Certificate System user, and open the alias/ directory. 

    cd /var/lib/instance_ID/alias/

  4. Log in as root, and set the file user and group for the databases to the Certificate System user and group. 

    su

chown user:group cert7.db

chown user:group key3.db

  5. Log out as root. As the Certificate System user, set the file permissions on the security databases. 

    chmod 00600 cert7.db

chmod 00600 key3.db

  6. Use the certutil tool to list all of the old Certificate Management System certificates. In this example, -L lists the certificates, and -X forces them to be read/write. 

    certutil -L -X -d .  

Server-Cert cert-old_DRM_instance cu,cu,cu 
caSigningCert cert-old_DRM_instance CT,c, 
kraStorageCert cert-old_DRM_instance u,u,u 
kraTransportCert cert-old_DRM_instance u,u,u

    NOTE

    The certificate database is automatically converted from cert7.db to cert8.db.

  7. Remove the cert7.db database. 

    rm cert7.db

  8. Open the CS.cfg configuration file. 

    cd /var/lib/instance_ID/conf/

vi CS.cfg

  9. Edit the kra.storageUnit.nickname and kra.transportUnit.nickname attributes to reflect the new DRM instance. 

    kra.storageUnit.nickname=
 kraStorageCert cert-old_DRM_instance
kra.transportUnit.nickname=
 kraTransportCert cert-old_DRM_instance

    NOTE

    The caSigningCert is not referenced in the CS.cfg for the DRM instance.

  10. In the same directory, edit the serverCertNick.conf file to contain the old certificate nickname. For example: 

    vi serverCertNick.conf
 
Server-Cert cert-old_DRM_instance

7.2.2.2. Case II: Security Databases to HSM Migration

  1. Remove all the security databases in the new Certificate System which will receive migrated data. 

    rm /var/lib/instance_ID/alias/cert8.db

rm /var/lib/instance_ID/alias/key3.db

  2. Copy the certificate and key security databases from the old server to the new server. 

    cp old_server_root/cert-old_DRM_instance/config/cert-old_DRM_instance-cert7.db 
/var/lib/instance_ID/alias/cert7.db

cp old_server_root/cert-old_DRM_instance/config/cert-old_DRM_instance-key3.db 
/var/lib/instance_ID/alias/key3.db

  3. Log into the new server as the Certificate System user, and open the alias/ directory. 

    cd /var/lib/instance_ID/alias/

  4. Log in as root, and set the file user and group to the Certificate System user and group. 

    su

chown user:group cert7.db

chown user:group -key3.db

  5. Log out as root. As the Certificate System user, set the file permissions on the databases. 

    chmod 00600 cert7.db

chmod 00600 key3.db

  6. Use the certutil tool to list all of the old Certificate Management System certificates. In this example, -L lists the certificates, and -X forces them to be read/write. 

    certutil -L -X -d .  

Server-Cert cert-old_DRM_instance cu,cu,cu 
caSigningCert cert-old_DRM_instance cT,c, 
kraStorageCert cert-old_DRM_instance u,u,u 
kraTransportCert cert-old_DRM_instance u,u,u

    NOTE

    The certificate database is automatically converted from cert7.db to cert8.db.

  7. Export the public/private key pairs of each entry in the Certificate Management 4.2 databases; -o exports the key pairs to a PKCS #12 file, and -n sets the name of the certificate and the old database prefix. 

    pk12util -o ServerCert.p12 -n "Server-Cert cert-old_DRM_instance" -d . 

Enter Password or Pin for "NSS Certificate DB":********
Enter password for PKCS12 file: ********
Re-enter password: ********
pk12util: PKCS12 EXPORT SUCCESSFUL
pk12util -o kraStorageCert.p12 -n "kraStorageCert cert-old_DRM_instance" -d . 

Enter Password or Pin for "NSS Certificate DB":********
Enter password for PKCS12 file: ********
Re-enter password: ********
pk12util: PKCS12 EXPORT SUCCESSFUL
pk12util -o kraTransportCert.p12 -n "kraTransportCert cert-old_DRM_instance" -d . 

Enter Password or Pin for "NSS Certificate DB":********
Enter password for PKCS12 file: ********
Re-enter password: ********
pk12util: PKCS12 EXPORT SUCCESSFUL

    NOTE

    The old security databases may contain additional public/private key pairs; these can also be extracted using pk12util.

  8. Export the public key using the certutil tool, and save the output to a base 64 file. In this example, -L lists the certificates, -X forces them to be read/write, and -a sets the CA signing certificate entry from the old security database and saves it to the base 64 file. 

    certutil -L -n "caSigningCert cert-old_DRM_instance" -d . -a > caSigningCert.b64

    NOTE

    The old security databases may contain additional public keys; these can also be exported using certutil.

  9. Delete the old security databases. 

    rm cert7.db

rm cert8.db

rm key3.db

  10. Register the new HSM in the new token database. 

    modutil -nocertdb -dbdir . -add new_HSM_token_name -libfile 
new_HSM_library_path/new_HSM_library

  11. Identify the new HSM slot name. 

    modutil -dbdir . -nocertdb -list

  12. Create new security databases. 

    certutil -N -d .

  13. Import the public/private key pairs from the PKCS #12 files into the new HSM. 

    pk12util -i ServerCert.p12 -d . -h new_HSM_slot_name

Enter Password or Pin for "new_HSM_slot_name":********
Enter password for PKCS12 file: ********
pk12util: PKCS12 IMPORT SUCCESSFUL
pk12util -i kraStorageCert.p12 -d . -h new_HSM_slot_name

Enter Password or Pin for "new_HSM_slot_name":********
Enter password for PKCS12 file: ********
pk12util: PKCS12 IMPORT SUCCESSFUL

pk12util -i kraTransportCert.p12 -d . -h new_HSM_slot_name

Enter Password or Pin for "new_HSM_slot_name":********
Enter password for PKCS12 file: ********
pk12util: PKCS12 IMPORT SUCCESSFUL

  14. Optionally, delete the PKCS #12 files. 

    rm ServerCert.p12

rm kraStorageCert.p12

rm kraTransportCert.p12

  15. Set the trust bits on the public/private key pairs that were imported into the new HSM. 

    certutil -M -n "new_HSM_slot_name:Server-Cert cert-old_DRM_instance" 
-t "cu,cu,cu" -d . -h new_HSM_token_name

certutil -M -n "new_HSM_slot_name:kraStorageCert cert-old_DRM_instance" 
-t "u,u,u" -d . -h new_HSM_token_name

certutil -M -n "new_HSM_slot_name:kraTransportCert cert-old_DRM_instance" 
-t "u,u,u" -d . -h new_HSM_token_name"

  16. Import the public key from the base-64 file into the new HSM, and set the trust bits. 

    certutil -A -n "new_HSM_slot_name:caSigningCert cert-old_DRM_instance"
 -t "CT,c," -d . -h new_HSM_token_name -i caSigningCert.b64"

  17. Optionally, delete the base-64 file. 

    rm caSigningCert.b64

  18. Open the CS.cfg configuration file. 

                      
                    cd /var/lib/
                  
                  
                    instance_ID
                  
                  
                    /conf/

vi CS.cfg

  19. Modify the kra.storageUnit.nickname and kra.transportUnit.nickname attributes to reflect the new DRM instance. 

    kra.storageUnit.nickname=
 new_HSM_slot_name:kraStorageCert cert-old_DRM_instance
kra.transportUnit.nickname=
 new_HSM_slot_name:kraTransportCert cert-old_DRM_instance

    NOTE

    The caSigningCert attribute is not listed in the CS.cfg file.

  20. In the same directory, edit the serverCertNick.conf file to contain the old certificate nickname. For example: 

    vi serverCertNick.conf

new_HSM_slot_name:Server-Cert cert-old_DRM_instance

7.2.2.3. Case III: HSM to Security Databases Migration

  1. Extract the public/private key pairs from the HSM. The format for the extracted key pairs should be portable, such as a PKCS #12 file.

    The pk12util tool provided by the Certificate System cannot extract public/private key pairs from an HSM because of requirements in the FIPS 140-1 standard which protect the private key portion of an entry. To extract this information, contact the HSM vendor for more information. The extracted keys should not have any dependencies, such as nickname prefixes, on the HSM.

  2. Copy the extracted key pairs from the old server to the new server. 

    cp old_server_root/cert-old_DRM_instance/config/ServerCert.p12 
/var/lib/instance_ID/alias/ServerCert.p12

cp old_server_root/cert-old_DRM_instance/config/kraStorageCert.p12 
/var/lib/instance_ID/alias/kraStorageCert.p12

cp old_server_root/cert-old_DRM_instance/config/kraTransportCert.p12 
/var/lib/instance_ID/alias/kraTransportCert.p12

  3. Extract the public key of the old_HSM_slot_name:caSigningCert cert-old_DRM_instance certificate from the old security databases, and save the base-64 encoded output to a file called caSigningCert.b64.

    1. Open the old Certificate System's configuration directory. 

      cd old_server_root/cert-old_DRM_instance/config/

    2. Use the certutil tool from the old Certificate System installation to identify the old HSM slot name. 

      old_server_root/bin/cert/tools/certutil -U -d .

    3. Extract the public key using the certutil tool, and save the output to a base 64 file. In this example, -L lists the named certificate, -n names the certificate and old Certificate System directory prefix, -h gives the name of the old HSM, and -a saves it to the base 64 file. 

      old_server_root/bin/cert/tools/certutil -L
 -n "old_HSM_slot_name:caSigningCert cert-old_DRM_instance"
 -d . -h old_HSM_token_name -a > caSigningCert.b64

    4. Copy the base 64 file from the old server to the new server. 

      cp old_server_root/cert-old_DRM_instance/config/caSigningCert.b64 
/var/lib/instance_ID/alias/caSigningCert.b64

  4. Log into the new server as the Certificate System user, and open the alias/ directory. 

    cd /var/lib/instance_ID/alias/

  5. Log in as root, and set the file user and group to the Certificate System user and group. 

    su

chown user:group ServerCert.p12

chown user:group kraStorageCert.p12

chown user:group kraTransportCert.p12

chown user:group caSigningCert.b64

  6. Log out as root. As the Certificate System user, set the file permissions on the certificate files. 

    chmod 00600 ServerCert.p12

chmod 00600 kraStorageCert.p12

chmod 00600 kraTransportCert.p12

chmod 00600 caSigningCert.b64

  7. Import the public/private key pairs from the PKCS #12 files into the new security databases. 

    pk12util -i ServerCert.p12 -d . 

Enter Password or Pin for "NSS Certificate DB":********
Enter password for PKCS12 file: ********
pk12util: PKCS12 IMPORT SUCCESSFUL

pk12util -i kraStorageCert.p12 -d . 

Enter Password or Pin for "NSS Certificate DB":********
Enter password for PKCS12 file: ********
pk12util: PKCS12 IMPORT SUCCESSFUL

pk12util -i kraTransportCert.p12 -d . 

Enter Password or Pin for "NSS Certificate DB":********
Enter password for PKCS12 file: ********
pk12util: PKCS12 IMPORT SUCCESSFUL

  8. Optionally, delete the PKCS #12 files. 

    rm ServerCert.p12

rm kraStorageCert.p12

rm kraTransportCert.p12

  9. Set the trust bits on the public/private key pairs that were imported into the new security databases. 

    certutil -M -n "Server-Cert cert-old_DRM_instance" 
-t "cu,cu,cu" -d . 

certutil -M -n "kraStorageCert cert-old_DRM_instance" 
-t "u,u,u" -d .

certutil -M -n "kraTransportCert cert-old_DRM_instance" 
-t "u,u,u" -d .

  10. Import the public key from the base-64 file, and set the trust bits. 

    certutil -A -n "caSigningCert cert-old_DRM_instance"
 -t "CT,c," -d . -i caSigningCert.b64

  11. Optionally, delete the base-64 file. 

    rm caSigningCert.b64

  12. Open the CS.cfg configuration file. 

    cd /var/lib/instance_ID/conf/

  13. Modify the kra.storageUnit.nickname and kra.transportUnit.nickname attributes to reflect the new DRM instance. 

    kra.storageUnit.nickname=
 kraStorageCert cert-old_DRM_instance 
kra.transportUnit.nickname=
 kraTransportCert cert-old_DRM_instance

    NOTE

    The caSigningCert attribute is not referenced in the CS.cfg file.

  14. In the same directory, edit the serverCertNick.conf file to contain the old certificate nickname. For example: 

    vi serverCertNick.conf

Server-Cert cert-old_DRM_instance

7.2.2.4. Case IV: HSM to HSM Migration

  1. Extract the public/private key pairs from the HSM. The format for the extracted key pairs should be portable, such as a PKCS #12 file.

    The pk12util tool provided by the Certificate System cannot extract public/private key pairs from an HSM because of requirements in the FIPS 140-1 standard which protect the private key portion of an entry. To extract this information, contact the HSM vendor for more information. The extracted keys should not have any dependencies, such as nickname prefixes, on the HSM.

  2. Copy the data from the old server to the new server. 

    cp old_server_root/cert-old_DRM_instance/config/ServerCert.p12 
/var/lib/instance_ID/alias/ServerCert.p12

cp old_server_root/cert-old_DRM_instance/config/kraStorageCert.p12 
/var/lib/instance_ID/alias/kraStorageCert.p12

cp old_server_root/cert-old_DRM_instance/config/kraTransportCert.p12 
/var/lib/instance_ID/alias/kraTransportCert.p12

  3. Extract the public key of the old_HSM_slot_name:caSigningCert cert-old_DRM_instance entry from the old security databases, and save the base-64 encoded output to a file called caSigningCert.b64.

    1. Open the old Certificate System's configuration directory. 

      cd old_server_root/cert-old_DRM_instance/config/

    2. Use the certutil tool from the old Certificate System installation to identify the old HSM slot name. 

      old_server_root/bin/cert/tools/certutil -U -d .

    3. Extract the public key using the certutil tool, and save the output to a base 64 file. In this example, -L lists the named certificate, -n names the old certificate, -h gives the old HSM name, and -a saves it to the base 64 file. 

      old_server_root/bin/cert/tools/certutil -L
 -n "old_HSM_slot_name:caSigningCert cert-old_DRM_instance"
 -d . -h old_HSM_token_name -a > caSigningCert.b64

    4. Copy the files from the old server to the new server. 

      cp old_server_root/cert-old_DRM_instance/config/caSigningCert.b64 
/var/lib/instance_ID/alias/caSigningCert.b64

  4. Log into the new server as the Certificate System user, and open the alias/ directory. 

    cd /var/lib/instance_ID/alias/

  5. Log in as root, and set the file user and group to the Certificate System user and group for the certificate files. 

    su

chown user:group ServerCert.p12

chown user:group kraStorageCert.p12

chown user:group kraTransportCert.p12

chown user:group caSigningCert.b64

  6. Log out as root. As the Certificate user, set the file permissions on the certificate files. 

    chmod 00600 ServerCert.p12

chmod 00600 kraStorageCert.p12

chmod 00600 kraTransportCert.p12

chmod 00600 caSigningCert.b64

  7. Register the new HSM in the new token database. 

    modutil -nocertdb -dbdir . -add new_HSM_token_name -libfile 
new_HSM_library_path/new_HSM_library

  8. Identify the new HSM slot name. 

    modutil -dbdir . -nocertdb -list

  9. Import the public/private key pairs from the PKCS #12 files into the new HSM. 

    pk12util -i ServerCert.p12 -d . -h new_HSM_slot_name

Enter Password or Pin for "new_HSM_slot_name":********
Enter password for PKCS12 file: ********
pk12util: PKCS12 IMPORT SUCCESSFUL

pk12util -i kraStorageCert.p12 -d . -h new_HSM_slot_name

Enter Password or Pin for "new_HSM_slot_name":********
Enter password for PKCS12 file: ********
pk12util: PKCS12 IMPORT SUCCESSFUL

pk12util -i kraTransportCert.p12 -d . -h new_HSM_slot_name

Enter Password or Pin for "new_HSM_slot_name":********
Enter password for PKCS12 file: ********
pk12util: PKCS12 IMPORT SUCCESSFUL

  10. Optionally, delete the PKCS #12 files. 

    rm ServerCert.p12

rm kraStorageCert.p12

rm kraTransportCert.p12

  11. Set the trust bits on the public/private key pairs that were imported into the new HSM. 

    certutil -M -n "new_HSM_slot_name:Server-Cert cert-old_DRM_instance" 
-t "cu,cu,cu" -d . -h new_HSM_token_name

certutil -M -n "new_HSM_slot_name:kraStorageCert cert-old_DRM_instance" 
-t "u,u,u" -d . -h new_HSM_token_name

certutil -M -n "new_HSM_slot_name:kraTransportCert cert-old_DRM_instance" 
-t "u,u,u" -d . -h new_HSM_token_name

  12. Import the public key from the base-64 file into the new HSM, and set the trust bits. 

    certutil -A -n "new_HSM_slot_name:caSigningCert cert-old_DRM_instance"
 -t "CT,c," -d . -h new_HSM_token_name -i caSigningCert.b64

  13. Optionally, delete the base-64 file. 

    rm caSigningCert.b64

  14. Open the CS.cfg configuration file. 

                      
                    cd /var/lib/
                  
                  
                    instance_ID
                  
                  
                    /conf/

vi CS.cfg

  15. Edit the kra.storageUnit.nickname and kra.transportUnit.nickname attributes to reflect the new DRM instance. 

    kra.storageUnit.nickname=
 new_HSM_slot_name:kraStorageCert cert-old_DRM_instance
kra.transportUnit.nickname=
 new_HSM_slot_name:kraTransportCert cert-old_DRM_instance

    NOTE

    The caSigningCert attribute is not referenced in the CS.cfg file.

  16. In the same directory, edit the serverCertNick.conf file to contain the old certificate nickname. For example: 

    vi serverCertNick.conf

new_HSM_slot_name:Server-Cert cert-old_DRM_instance