7.6. Certificate Management System 7.0 and Certificate System 7.1

There are four subsystems that can be migrated from Certificate Management System 7.0 and Certificate System 7.1 to a later version of the Certificate System: the Certificate Authority (CA), the Data Recovery Manager (DRM), the Online Certificate Status Protocol Manager (OCSP), and the Token Key Service (TKS). Each subsystem has different migration procedures.

7.6.1. 7.0 and 7.1 Certificate Authority (CA) Migration

Determine if the migration to be performed involves software security databases, an HSM, or both. There are four possible migration scenarios; follow the appropriate process for the deployment scenario being migrated.

7.6.1.1. Case I: Security Databases to Security Databases Migration

Remove all the security databases in the new Certificate System which will receive migrated data.
```
rm /var/lib/instance_ID/alias/cert8.db

rm /var/lib/instance_ID/alias/key3.db
```

Copy the certificate and key security databases from the old server to the new server.

cp old_server_root/alias/cert-old_CA_instance-cert8.db 
/var/lib/instance_ID/alias/cert8.db

cp old_server_root/alias/cert-old_CA_instance-key3.db 
/var/lib/instance_ID/alias/key3.db

Log into the new server as the Certificate System user, and open the Certificate System alias/ directory.
```
cd /var/lib/instance_ID/alias/
```
Log in as root, and set the file user and group to the Certificate System user and group.
```
su

chown user:group cert8.db

chown user:group key3.db
```
Log out as root. As the Certificate System user, set the file permissions.
```
chmod 00600 cert8.db

chmod 00600 key3.db
```

List the contents of the certificate database using the certutil command. In this example, -L lists the certificates.

certutil -L -d . 

Server-Cert cert-old_CA_instance cu,cu,cu
caSigningCert cert-old_CA_instance cu,cu,cu
ocspSigningCert cert-old_CA_instance CTu,Cu,Cu
subsystemCert cert-old_CA_instance cu,cu,cu

Open the CS.cfg configuration file.
```
cd /var/lib/instance_ID/conf
```

Edit the ca.signing.cacertnickname and ca.ocsp_signing.cacertnickname attributes to reflect the new subsystem information.

ca.signing.cacertnickname=
 caSigningCert cert-old_CA_instance
ca.ocsp_signing.cacertnickname=
 ocspSigningCert cert-old_CA_instance

If there is CA-DRM connectivity, then also modify the ca.connector.KRA.nickname attribute.
```
ca.connector.KRA.nickname=caSigningCert cert-old_CA_instance
```
In the same directory, edit the serverCertNick.conf file to contain the old certificate nickname. For example:
```
vi serverCertNick.conf

Server-Cert cert-old_CA_instance
```

7.6.1.2. Case II: Security Databases to HSM Migration

Remove all the security databases in the new Certificate System which will receive migrated data.
```
rm /var/lib/instance_ID/alias/cert8.db

rm /var/lib/instance_ID/alias/key3.db
```

Copy the certificate and key security databases from the old server to the new server.

cp old_server_root/alias/cert-old_CA_instance-cert8.db 
/var/lib/instance_ID/alias/cert8.db

cp old_server_root/alias/cert-old_CA_instance-key3.db 
/var/lib/instance_ID/alias/key3.db

Log into the new server as the Certificate System user, and open the Certificate System alias/ directory.
```
cd /var/lib/instance_ID/alias/
```
Log in as root, and set the file user and group to the Certificate System user and group.
```
su

chown user:group cert8.db

chown user:group key3.db
```
Log out as root. As the Certificate System user, set the file permissions.
```
chmod 00600 cert8.db

chmod 00600 key3.db
```

List the certificates stored in the old security databases by using the certutil command. In this example, -L lists the certificates.

certutil -L -d . 

Server-Cert cert-old_CA_instance cu,cu,cu
caSigningCert cert-old_CA_instance cu,cu,cu
ocspSigningCert cert-old_CA_instance CTu,Cu,Cu
subsystemCert cert-old_CA_instance cu,cu,cu

Export the public/private key pairs of each entry in the Certificate System databases using the pk12util tool; -o exports the key pairs to a PKCS #12 file, and -n sets the name of the certificate and the old database prefix.

pk12util -o ServerCert.p12 -n "Server-Cert cert-old_CA_instance" -d .  

Enter Password or Pin for "NSS Certificate DB":********
Enter password for PKCS12 file: ********
Re-enter password: ********
pk12util: PKCS12 EXPORT SUCCESSFUL

pk12util -o caSigningCert.p12 -n "caSigningCert cert-old_CA_instance" -d . 

Enter Password or Pin for "NSS Certificate DB":********
Enter password for PKCS12 file: ********
Re-enter password: ********
pk12util: PKCS12 EXPORT SUCCESSFUL

pk12util -o ocspSigningCert.p12 -n "ocspSigningCert cert-old_CA_instance" -d . 

Enter Password or Pin for "NSS Certificate DB":********
Enter password for PKCS12 file: ********
Re-enter password: ********
pk12util: PKCS12 EXPORT SUCCESSFUL

pk12util -o subsystemCert.p12 -n "subsystemCert cert-old_CA_instance" -d . 

Enter Password or Pin for "NSS Certificate DB":********
Enter password for PKCS12 file: ********
Re-enter password: ********
pk12util: PKCS12 EXPORT SUCCESSFUL

NOTE

The old security databases may contain additional public/private key pairs; these can also be extracted using pk12util.

Delete the old security databases.
```
rm cert8.db

rm key3.db
```

modutil -nocertdb -dbdir . -add new_HSM_token_name -libfile 
new_HSM_library_path/new_HSM_library

Identify the new HSM slot name.
```
modutil -dbdir . -nocertdb -list
```
Create new security databases.
```
certutil -N -d . 
```

Import the public/private key pairs of each entry from the PKCS #12 files into the new HSM.

pk12util -i ServerCert.p12 -d . -h new_HSM_slot_name

Enter Password or Pin for "new_HSM_slot_name":********
Enter password for PKCS12 file: ********
pk12util: PKCS12 IMPORT SUCCESSFUL

pk12util -i caSigningCert.p12 -d . -h new_HSM_slot_name

Enter Password or Pin for "new_HSM_slot_name":********
Enter password for PKCS12 file: ********
pk12util: PKCS12 IMPORT SUCCESSFUL

pk12util -i ocspSigningCert.p12 -d . -h new_HSM_slot_name

Enter Password or Pin for "new_HSM_slot_name":********
Enter password for PKCS12 file: ********
pk12util: PKCS12 IMPORT SUCCESSFUL

pk12util -i subsystemCert.p12 -d . -h new_HSM_slot_name

Enter Password or Pin for "new_HSM_slot_name":********
Enter password for PKCS12 file: ********
pk12util: PKCS12 IMPORT SUCCESSFUL

Optionally, delete the PKCS #12 files.

rm ServerCert.p12

rm caSigningCert.p12

rm /var/lib/instance_ID/alias/ocspSigningCert.p12

rm /var/lib/instance_ID/alias/subsystemCert.p12

Set the trust bits on the public/private key pairs that were imported into the new HSM.

certutil -M -n "new_HSM_slot_name:Server-Cert cert-old_CA_instance" 
-t "cu,cu,cu" -d . -h new_HSM_token_name

certutil -M -n "new_HSM_slot_name:caSigningCert cert-old_CA_instance" 
-t "CTu,CTu,CTu" -d . -h new_HSM_token_name

certutil -M -n "new_HSM_slot_name:ocspSigningCert cert-old_CA_instance" 
-t "CTu,Cu,Cu" -d . -h new_HSM_token_name

certutil -M -n "new_HSM_slot_name:subsystemCert cert-old_CA_instance" 
-t "cu,cu,cu" -d . -h new_HSM_token_name

Open the CS.cfg configuration file.
```
cd /var/lib/instance_ID/conf
```

Edit the ca.signing.cacertnickname and ca.ocsp_signing.cacertnickname attributes to reflect the new subsystem information.

ca.signing.cacertnickname=
 new_HSM_slot_name:caSigningCert cert-old_CA_instance

ca.ocsp_signing.cacertnickname=
 new_HSM_slot_name:ocspSigningCert cert-old_CA_instance

If there is CA-DRM connectivity, then also modify the ca.connector.KRA.nickname attribute.
```
ca.connector.KRA.nickname=new_HSM_slot_name:caSigningCert cert-old_CA_instance
```
In the same directory, edit the serverCertNick.conf file to contain the old certificate nickname. For example:
```
vi serverCertNick.conf

new_HSM_slot_name:Server-Cert cert-old_CA_instance
```

7.6.1.3. Case III: HSM to Security Databases Migration

Extract the public/private key pairs from the HSM. The format for the extracted key pairs should be portable, such as a PKCS #12 file.

The pk12util tool provided by the Certificate System cannot extract public/private key pairs from an HSM because of requirements in the FIPS 140-1 standard which protect the private key portion of an entry. To extract this information, contact the HSM vendor for more information. The extracted keys should not have any dependencies, such as nickname prefixes, on the HSM.

Copy the extracted public/private key pairs from the old server to the new server.

cp old_server_root/alias/ServerCert.p12
 /var/lib/instance_ID/alias/ServerCert.p12

cp old_server_root/alias/caSigningCert.p12
 /var/lib/instance_ID/alias/caSigningCert.p12

cp old_server_root/alias/ocspSigningCert.p12
 /var/lib/instance_ID/alias/ocspSigningCert.p12

cp old_server_root/alias/subsystemCert.p12
 /var/lib/instance_ID/alias/subsystemCert.p12

Log into the new server as the Certificate System user, and open the Certificate System alias/ directory.
```
cd /var/lib/instance_ID/alias/
```

su

chown user:group ServerCert.p12

chown user:group caSigningCert.p12

chown user:group ocspSigningCert.p12

chown user:group subsystemCert.p12

Log out as root. As the Certificate System user, set the file permissions.

chmod 00600 ServerCert.p12

chmod 00600 caSigningCert.p12

chmod 00600 ocspSigningCert.p12

chmod 00600 subsystemCert.p12

Import the public/private key pairs of each entry from the PKCS #12 files into the new security databases.

pk12util -i ServerCert.p12 -d .

Enter Password or Pin for "NSS Certificate DB":********
Enter password for PKCS12 file: ********
pk12util: PKCS12 IMPORT SUCCESSFUL

pk12util -i caSigningCert.p12 -d . 

Enter Password or Pin for "NSS Certificate DB":********
Enter password for PKCS12 file: ********
pk12util: PKCS12 IMPORT SUCCESSFUL

pk12util -i ocspSigningCert.p12 -d . 

Enter Password or Pin for "NSS Certificate DB":********
Enter password for PKCS12 file: ********
pk12util: PKCS12 IMPORT SUCCESSFUL

pk12util -i subsystemCert.p12 -d . 

Enter Password or Pin for "NSS Certificate DB":********
Enter password for PKCS12 file: ********
pk12util: PKCS12 IMPORT SUCCESSFUL

Optionally, delete the PKCS #12 files.

rm ServerCert.p12

rm caSigningCert.p12

rm ocspSigningCert.p12

rm subsystemCert.p12

Set the trust bits on the public/private key pairs that were imported into the new security databases.

certutil -M -n "Server-Cert cert-old_CA_instance" 
-t "cu,cu,cu" -d . 

certutil -M -n "caSigningCert cert-old_CA_instance" 
-t "CTu,CTu,CTu" -d . 

certutil -M -n "ocspSigningCert cert-old_CA_instance" 
-t "CTu,Cu,Cu" -d . 

certutil -M -n "subsystemCert cert-old_CA_instance" 
-t "cu,cu,cu" -d .

Open the CS.cfg configuration file.

cd /var/lib/instance_ID/conf/

vi CS.cfg

Edit the ca.signing.cacertnickname and ca.ocsp_signing.cacertnickname attributes to reflect the new subsystem information.

ca.signing.cacertnickname=
 caSigningCert cert-old_CA_instance
ca.ocsp_signing.cacertnickname=
 ocspSigningCert cert-old_CA_instance

If there is CA-DRM connectivity, then also modify the ca.connector.KRA.nickname attribute.
```
ca.connector.KRA.nickname=caSigningCert cert-old_CA_instance
```
In the same directory, edit the serverCertNick.conf file to contain the old certificate nickname. For example:
```
vi serverCertNick.conf

Server-Cert cert-old_CA_instance
```

7.6.1.4. Case IV: HSM to HSM Migration

Extract the public/private key pairs from the HSM. The format for the extracted key pairs should be portable, such as a PKCS #12 file.

The pk12util tool provided by the Certificate System cannot extract public/private key pairs from an HSM because of requirements in the FIPS 140-1 standard which protect the private key portion of an entry. To extract this information, contact the HSM vendor for more information. The extracted keys should not have any dependencies, such as nickname prefixes, on the HSM.

Copy the extracted public/private key pairs from the old server to the new server.

cp old_server_root/alias/ServerCert.p12 
/var/lib/instance_ID/alias/ServerCert.p12

cp old_server_root/alias/caSigningCert.p12 
/var/lib/instance_ID/alias/caSigningCert.p12

cp old_server_root/alias/ocspSigningCert.p12 
/var/lib/instance_ID/alias/ocspSigningCert.p12

cp old_server_root/alias/subsystemCert.p12
 /var/lib/instance_ID/alias/subsystemCert.p12

Log into the new server as the Certificate System user, and open the Certificate System alias/ directory.
```
cd /var/lib/instance_ID/alias/
```

su

chown user:group ServerCert.p12

chown user:group caSigningCert.p12

chown user:group ocspSigningCert.p12

chown user:group subsystemCert.p12

Log out as root. As the Certificate System user, set the file permissions.

chmod 00600 ServerCert.p12

chmod 00600 caSigningCert.p12

chmod 00600 ocspSigningCert.p12

chmod 00600 subsystemCert.p12

modutil -nocertdb -dbdir . -add new_HSM_token_name -libfile 
new_HSM_library_path/new_HSM_library

Identify the new HSM slot name.
```
modutil -dbdir . -nocertdb -list
```

Import the public/private key pairs of each entry from the PKCS #12 files into the new HSM.

pk12util -i ServerCert.p12 -d . -h new_HSM_slot_name

Enter Password or Pin for "new_HSM_slot_name":********
Enter password for PKCS12 file: ********
pk12util: PKCS12 IMPORT SUCCESSFUL

pk12util -i caSigningCert.p12 -d . -h new_HSM_slot_name

Enter Password or Pin for "new_HSM_slot_name":********
Enter password for PKCS12 file: ********
pk12util: PKCS12 IMPORT SUCCESSFUL

pk12util -i ocspSigningCert.p12 -d . -h new_HSM_slot_name

Enter Password or Pin for "new_HSM_slot_name":********
Enter password for PKCS12 file: ********
pk12util: PKCS12 IMPORT SUCCESSFUL

pk12util -i subsystemCert.p12 -d . -h new_HSM_slot_name

Enter Password or Pin for "new_HSM_slot_name":********
Enter password for PKCS12 file: ********
pk12util: PKCS12 IMPORT SUCCESSFUL

Optionally, delete the PKCS #12 files.

rm ServerCert.p12

rm caSigningCert.p12

rm ocspSigningCert.p12

rm subsystemCert.p12

Set the trust bits on the public/private key pairs that were imported into the new HSM.

certutil -M -n "new_HSM_slot_name:Server-Cert cert-old_CA_instance" 
-t "cu,cu,cu" -d . -h new_HSM_token_name

certutil -M -n "new_HSM_slot_name:caSigningCert cert-old_CA_instance" 
-t "CTu,CTu,CTu" -d . -h new_HSM_token_name

certutil -M -n "new_HSM_slot_name:ocspSigningCert cert-old_CA_instance" 
-t "CTu,Cu,Cu" -d . -h new_HSM_token_name

certutil -M -n "new_HSM_slot_name:subsystemCert cert-old_CA_instance" 
-t "cu,cu,cu" -d . -h new_HSM_token_name"

Open the CS.cfg configuration file.

cd /var/lib/instance_ID/conf/

vi CS.cfg

Edit the ca.signing.cacertnickname and ca.ocsp_signing.cacertnickname attributes to reflect the new subsystem information.

ca.signing.cacertnickname=
 new_HSM_slot_name:caSigningCert cert-old_CA_instance
ca.ocsp_signing.cacertnickname=
 new_HSM_slot_name:ocspSigningCert cert-old_CA_instance

If there is CA-DRM connectivity, then also modify the ca.connector.KRA.nickname attribute.
```
ca.connector.KRA.nickname=new_HSM_slot_name:caSigningCert cert-old_CA_instance
```
In the same directory, edit the serverCertNick.conf file to contain the old certificate nickname. For example:
```
vi serverCertNick.conf

new_HSM_slot_name:Server-Cert cert-old_CA_instance
```

7.6.2. 7.0 and 7.1 Data Recover Manager (DRM) Migration

7.6.2.1. Case I: Security Databases to Security Databases Migration

Remove all the security databases in the new Certificate System which will receive migrated data.
```
rm /var/lib/instance_ID/alias/cert8.db

rm /var/lib/instance_ID/alias/key3.db
```

Copy the certificate and key security databases from the old server to the new server.

cp old_server_root/alias/cert-old_DRM_instance-cert8.db 
/var/lib/instance_ID/alias/cert8.db

cp old_server_root/alias/cert-old_DRM_instance-key3.db 
/var/lib/instance_ID/alias/key3.db

Log into the new server as the Certificate System user, and open the Certificate System alias/ directory.
```
cd /var/lib/instance_ID/alias/
```
Log in as root, and set the file user and group to the Certificate System user and group.
```
su

chown user:group cert8.db

chown user:group key3.db
```
Log out as root. As the Certificate System user, set the file permissions.
```
chmod 00600 cert8.db

chmod 00600 key3.db
```

List the certificates in the security databases using the certutil command. In this example, -L lists the certificates.

certutil -L -d .

Server-Cert cert-old_DRM_instance cu,cu,cu
caSigningCert cert-old_DRM_instance CT,c,
kraStorageCert cert-old_DRM_instance u,u,u
kraTransportCert cert-old_DRM_instance u,u,u

Open the CS.cfg configuration file.

cd /var/lib/instance_ID/conf/

vi CS.cfg

Edit the kra.storageUnit.nickname and kra.transportUnit.nickname attributes to reflect the new subsystem information.
```
kra.storageUnit.nickname=
 kraStorageCert cert-old_DRM_instance
kra.transportUnit.nickname=
 kraTransportCert cert-old_DRM_instance
```
NOTE

The caSigningCert is not referenced in the CS.cfg file.
In the same directory, edit the serverCertNick.conf file to contain the old certificate nickname. For example:
```
vi serverCertNick.conf

Server-Cert cert-old_DRM_instance
```

7.6.2.2. Case II: Security Databases to HSM Migration

Remove all the security databases in the new Certificate System which will receive migrated data.
```
rm /var/lib/instance_ID/alias/cert8.db

rm /var/lib/instance_ID/alias/key3.db
```

Copy the certificate and key security databases from the old server to the new server.

cp old_server_root/alias/cert-old_DRM_instance-cert8.db 
/var/lib/instance_ID/alias/cert8.db

cp old_server_root/alias/cert-old_DRM_instance-key3.db 
/var/lib/instance_ID/alias/key3.db

Log into the new server as the Certificate System user, and open the Certificate System alias/ directory.
```
cd /var/lib/instance_ID/alias/
```
Log in as root, and set the file user and group to the Certificate System user and group.
```
su

chown user:group cert8.db

chown user:group key3.db
```
Log out as root. As the Certificate System user, set the file permissions.
```
chmod 00600 cert8.db

chmod 00600 key3.db
```

List the certificates stored in the old security databases by using the certutil command. In this example, -L lists the certificates.

certutil -L -d .

Server-Cert cert-old_DRM_instance cu,cu,cu
caSigningCert cert-old_DRM_instance cT,c,
kraStorageCert cert-old_DRM_instance u,u,u
kraTransportCert cert-old_DRM_instance u,u,u

pk12util -o ServerCert.p12 -n "Server-Cert cert-old_DRM_instance" -d .

Enter Password or Pin for "NSS Certificate DB":********
Enter password for PKCS12 file: ********
Re-enter password: ********
pk12util: PKCS12 EXPORT SUCCESSFUL

pk12util -o kraStorageCert.p12 -n "kraStorageCert cert-old_DRM_instance" -d . 

Enter Password or Pin for "NSS Certificate DB":********
Enter password for PKCS12 file: ********
Re-enter password: ********
pk12util: PKCS12 EXPORT SUCCESSFUL

pk12util -o kraTransportCert.p12 -n "kraTransportCert cert-old_DRM_instance" -d . 

Enter Password or Pin for "NSS Certificate DB":********
Enter password for PKCS12 file: ********
Re-enter password: ********
pk12util: PKCS12 EXPORT SUCCESSFUL

NOTE

The old security databases may contain additional public/private key pairs; these can also be extracted using pk12util.

Export the public key using the certutil tool; -L lists the named certificate, -n sets the name of the file and the old prefix, and -a outputs the information to a base-64 file.
```
certutil -L -n "caSigningCert cert-old_DRM_instance" -d . -a > caSigningCert.b64
```
NOTE

The old security databases may contain additional public keys; these can also be exported using the certutil tool.
Delete the old security databases.
```
rm cert8.db

rm key3.db
```

modutil -nocertdb -dbdir . -add new_HSM_token_name -libfile 
new_HSM_library_path/new_HSM_library

Identify the new HSM slot name.
```
modutil -dbdir . -nocertdb -list
```
Create new security databases.
```
certutil -N -d .
```

Import the public/private key pairs of each entry from the PKCS #12 files into the new HSM.

pk12util -i ServerCert.p12 -d . -h new_HSM_slot_name

Enter Password or Pin for "new_HSM_slot_name":********
Enter password for PKCS12 file: ********
pk12util: PKCS12 IMPORT SUCCESSFUL

pk12util -i kraStorageCert.p12 -d . -h new_HSM_slot_name

Enter Password or Pin for "new_HSM_slot_name":********
Enter password for PKCS12 file: ********
pk12util: PKCS12 IMPORT SUCCESSFUL

pk12util -i kraTransportCert.p12 -d . -h new_HSM_slot_name

Enter Password or Pin for "new_HSM_slot_name":********
Enter password for PKCS12 file: ********
pk12util: PKCS12 IMPORT SUCCESSFUL

Optionally, delete the PKCS #12 files.

rm ServerCert.p12

rm kraStorageCert.p12

rm kraTransportCert.p12

Set the trust bits on the public/private key pairs that were imported into the new HSM.

certutil -M -n "new_HSM_slot_name:Server-Cert cert-old_DRM_instance" 
-t "cu,cu,cu" -d . -h new_HSM_token_name

certutil -M -n "new_HSM_slot_name:kraStorageCert cert-old_DRM_instance" 
-t "u,u,u" -d . -h new_HSM_token_name

certutil -M -n "new_HSM_slot_name:kraTransportCert cert-old_DRM_instance" 
-t "u,u,u" -d . -h new_HSM_token_name

Import the public key from the base-64 file into the new HSM, and set the trust bits.

certutil -A -n "new_HSM_slot_name:caSigningCert cert-old_DRM_instance"
 -t "CT,c," -d . -h new_HSM_token_name -i caSigningCert.b64

Optionally, delete the base-64 file.
```
rm caSigningCert.b64
```
Open the CS.cfg configuration file.
```
cd /var/lib/instance_ID/conf
```

Edit the kra.storageUnit.nickname and kra.transportUnit.nickname attributes to reflect the new subsystem information.

kra.storageUnit.nickname=
 new_HSM_slot_name:kraStorageCert cert-old_DRM_instance
kra.transportUnit.nickname=
 new_HSM_slot_name:kraTransportCert cert-old_DRM_instance

NOTE

The caSigningCert is not referenced in the CS.cfg file.

In the same directory, edit the serverCertNick.conf file to contain the old certificate nickname. For example:
```
vi serverCertNick.conf

new_HSM_slot_name:Server-Cert cert-old_DRM_instance
```

7.6.2.3. Case III: HSM to Security Databases Migration

Extract the public/private key pairs from the HSM. The format for the extracted key pairs should be portable, such as a PKCS #12 file.

The pk12util tool provided by the Certificate System cannot extract public/private key pairs from an HSM because of requirements in the FIPS 140-1 standard which protect the private key portion of an entry. To extract this information, contact the HSM vendor for more information. The extracted keys should not have any dependencies, such as nickname prefixes, on the HSM.

Copy the extracted public/private key pairs from the old server to the new server.

cp old_server_root/alias/ServerCert.p12 
/var/lib/instance_ID/alias/ServerCert.p12

cp old_server_root/alias/kraStorageCert.p12 
/var/lib/instance_ID/alias/kraStorageCert.p12

cp old_server_root/alias/kraTransportCert.p12 
/var/lib/instance_ID/alias/kraTransportCert.p12

Extract the public key of the old_HSM_slot_name:caSigningCert cert-old_DRM_instance from the old security databases and save the base-64 encoded output to a file called caSigningCert.b64:
```
cd old_server_root/alias
```
Set the LD_LIBRARY_PATH environment variable to search the Certificate System libraries.
```
LD_LIBRARY_PATH=old_server_root/bin/cert/lib

export LD_LIBRARY_PATH
```
Use the old Certificate System certutil tool to identify the old HSM slot name:
```
old_server_root/bin/cert/tools/certutil -U -d .
```

Use the old certutil tool to extract the public key from the security databases and save the base-64 output to a file:

old_server_root/bin/cert/tools/certutil -L
 -n "old_HSM_slot_name:caSigningCert cert-old_DRM_instance"
 -d . -h old_HSM_token_name -a > caSigningCert.b64

Copy the key information from the old server to the new server.

cp old_server_root/alias/caSigningCert.b64 
/var/lib/instance_ID/alias/caSigningCert.b64

Log into the new server as the Certificate System user, and open the Certificate System alias/ directory.
```
cd /var/lib/instance_ID/alias/
```

su

chown user:group ServerCert.p12

chown user:group kraStorageCert.p12

chown user:group kraTransportCert.p12

chown user:group caSigningCert.b64

Log out as root. As the Certificate System user, change the permissions on the files.

chmod 00600 ServerCert.p12

chmod 00600 kraStorageCert.p12

chmod 00600 kraTransportCert.p12

chmod 00600 caSigningCert.b64

Import the public/private key pairs of each entry from the PKCS #12 files into the new security databases.

pk12util -i ServerCert.p12 -d . 

Enter Password or Pin for "NSS Certificate DB":********
Enter password for PKCS12 file: ********
pk12util: PKCS12 IMPORT SUCCESSFUL

pk12util -i kraStorageCert.p12 -d . 

Enter Password or Pin for "NSS Certificate DB":********
Enter password for PKCS12 file: ********
pk12util: PKCS12 IMPORT SUCCESSFUL

pk12util -i kraTransportCert.p12 -d . 

Enter Password or Pin for "NSS Certificate DB":********
Enter password for PKCS12 file: ********
pk12util: PKCS12 IMPORT SUCCESSFUL

Optionally, delete the PKCS #12 files.

rm ServerCert.p12

rm kraStorageCert.p12

rm kraTransportCert.p12

Set the trust bits on the public/private key pairs that were imported into the new security databases.

certutil -M -n "Server-Cert cert-old_DRM_instance" 
-t "cu,cu,cu" -d .

certutil -M -n "kraStorageCert cert-old_DRM_instance" 
-t "u,u,u" -d .

certutil -M -n "kraTransportCert cert-old_DRM_instance" 
-t "u,u,u" -d .

Import the public key from the base-64 file, and set the trust bits.

certutil -A -n "caSigningCert cert-old_DRM_instance"
 -t "CT,c," -d . -i caSigningCert.b64

Optionally, delete the base-64 file.
```
rm caSigningCert.b64
```
Open the CS.cfg configuration file.
```
cd /var/lib/instance_ID/conf
```
Edit the kra.storageUnit.nickname and kra.transportUnit.nickname attributes to reflect the new subsystem information.
```
kra.storageUnit.nickname=
 kraStorageCert cert-old_DRM_instance
kra.transportUnit.nickname=
 kraTransportCert cert-old_DRM_instance
```
NOTE

The caSigningCert is not referenced in the CS.cfg file.
In the same directory, edit the serverCertNick.conf file to contain the old certificate nickname. For example:
```
vi serverCertNick.conf

Server-Cert cert-old_DRM_instance
```

7.6.2.4. Case IV: HSM to HSM Migration

Extract the public/private key pairs from the HSM. The format for the extracted key pairs should be portable, such as a PKCS #12 file.

The pk12util tool provided by the Certificate System cannot extract public/private key pairs from an HSM because of requirements in the FIPS 140-1 standard which protect the private key portion of an entry. To extract this information, contact the HSM vendor for more information. The extracted keys should not have any dependencies, such as nickname prefixes, on the HSM.

Copy the extracted public/private key pairs from the old server to the new server.

cp old_server_root/alias/ServerCert.p12 
/var/lib/instance_ID/alias/ServerCert.p12

cp old_server_root/alias/kraStorageCert.p12 
/var/lib/instance_ID/alias/kraStorageCert.p12

cp old_server_root/alias/kraTransportCert.p12 
/var/lib/instance_ID/alias/kraTransportCert.p12

Extract the public key of the old_HSM_slot_name:caSigningCert cert-old_DRM_instance from the old security databases and save the base-64 encoded output to a file called caSigningCert.b64.
```
cd old_server_root/alias
```
Set the LD_LIBRARY_PATH environment variable to search the Certificate System libraries.
```
LD_LIBRARY_PATH=old_server_root/bin/cert/lib

export LD_LIBRARY_PATH
```
Use the old Certificate System certutil tool to identify the old HSM slot name:
```
old_server_root/bin/cert/tools/certutil -U -d .
```

Use the old Certificate System certutil tool to extract the public key from the security databases and save the base-64 output to a file:

old_server_root/bin/cert/tools/certutil -L
 -n "old_HSM_slot_name:caSigningCert cert-old_DRM_instance"
 -d . -h old_HSM_token_name -a > caSigningCert.b64

Copy the key information from the old server to the new server.

cp old_server_root/alias/caSigningCert.b64 
/var/lib/instance_ID/alias/caSigningCert.b64

Log into the new server as the Certificate System user, and open the Certificate System alias/ directory.
```
cd /var/lib/instance_ID/alias/
```

su

chown user:group ServerCert.p12

chown user:group kraStorageCert.p12

chown user:group kraTransportCert.p12

chown user:group caSigningCert.b64

Log out as root. As the Certificate System user, set the file permissions.

chmod 00600 ServerCert.p12

chmod 00600 kraStorageCert.p12

chmod 00600 kraTransportCert.p12

chmod 00600 caSigningCert.b64

modutil -nocertdb -dbdir . -add new_HSM_token_name -libfile 
new_HSM_library_path/new_HSM_library

Identify the new HSM slot name.
```
modutil -dbdir . -nocertdb -list
```

Import the public/private key pairs of each entry from the PKCS #12 files into the new HSM.

pk12util -i ServerCert.p12 -d .-h new_HSM_slot_name

Enter Password or Pin for "new_HSM_slot_name":********
Enter password for PKCS12 file: ********
pk12util: PKCS12 IMPORT SUCCESSFUL

pk12util -i kraStorageCert.p12 -d . -h new_HSM_slot_name

Enter Password or Pin for "new_HSM_slot_name":********
Enter password for PKCS12 file: ********
pk12util: PKCS12 IMPORT SUCCESSFUL

pk12util -i kraTransportCert.p12 -d . -h new_HSM_slot_name

Enter Password or Pin for "new_HSM_slot_name":********
Enter password for PKCS12 file: ********
pk12util: PKCS12 IMPORT SUCCESSFUL

Optionally, delete the PKCS #12 files.

rm ServerCert.p12

rm kraStorageCert.p12

rm kraTransportCert.p12

Set the trust bits on the public/private key pairs that were imported into the new HSM.

certutil -M -n "new_HSM_slot_name:Server-Cert cert-old_DRM_instance" 
-t "cu,cu,cu" -d . -h new_HSM_token_name

certutil -M -n "new_HSM_slot_name:kraStorageCert cert-old_DRM_instance" 
-t "u,u,u" -d . -h new_HSM_token_name

certutil -M -n "new_HSM_slot_name:kraTransportCert cert-old_DRM_instance" 
-t "u,u,u" -d . -h new_HSM_token_name

Import the public key from the base-64 file into the new HSM, and set the trust bits.

certutil -A -n "new_HSM_slot_name:caSigningCert cert-old_DRM_instance"
 -t "CT,c," -d . -h new_HSM_token_name -i caSigningCert.b64

Optionally, delete the base-64 file.
```
rm caSigningCert.b64
```
Open the CS.cfg configuration file.
```
cd /var/lib/instance_ID/conf
```

Edit the kra.storageUnit.nickname and kra.transportUnit.nickname attributes to reflect the new subsystem information.

kra.storageUnit.nickname=
 new_HSM_slot_name:kraStorageCert cert-old_DRM_instance
kra.transportUnit.nickname=
 new_HSM_slot_name:kraTransportCert cert-old_DRM_instance

NOTE

The caSigningCert is not referenced in the CS.cfg file.

In the same directory, edit the serverCertNick.conf file to contain the old certificate nickname. For example:
```
vi serverCertNick.conf

new_HSM_slot_name:Server-Cert cert-old_DRM_instance
```

7.6.3. 7.0 and 7.1 Online Certificate Status Protocol Manager (OCSP) Migration

7.6.3.1. Case I: Security Databases to Security Databases Migration

Remove all the security databases in the new Certificate System which will receive migrated data.
```
rm /var/lib/instance_ID/alias/cert8.db

rm /var/lib/instance_ID/alias/key3.db
```

Copy the certificate and key security databases from the old server to the new server.

cp old_server_root/alias/cert-old_OCSP_instance-cert8.db 
/var/lib/instance_ID/alias/cert8.db

cp old_server_root/alias/cert-old_OCSP_instance-key3.db 
/var/lib/instance_ID/alias/key3.db

Log into the new server as the Certificate System user, and open the Certificate System alias/ directory.
```
cd /var/lib/instance_ID/alias/
```
Log in as root, and set the file user and group to the Certificate System user and group.
```
su

chown user:group cert8.db

chown user:group key3.db
```
Log out as root. As the Certificate System user, change the permissions on the files.
```
chmod 00600 cert8.db

chmod 00600 key3.db
```

List the certificates in the security databases using the certutil command. In this example, -L lists the certificates.

certutil -L -d . 

Server-Cert cert-old_OCSP_instance cu,cu,cu
caSigningCert cert-old_OCSP_instance CT,c,
ocspSigningCert cert-old_OCSP_instance cu,cu,cu

Open the CS.cfg configuration file.

cd /var/lib/instance_ID/conf/

vi CS.cfg

Edit the ocsp.signing.certnickname attribute to reflect the new subsystem information.
```
ocsp.signing.certnickname=ocspSigningCert cert-old_OCSP_instance
```
NOTE

>The caSigningCert is not referenced in the CS.cfg file.
In the same directory, edit the serverCertNick.conf file to contain the old certificate nickname. For example:
```
vi serverCertNick.conf

Server-Cert cert-old_OCSP_instance
```

7.6.3.2. Case II: Security Databases to HSM Migration

Remove all the security databases in the new Certificate System which will receive migrated data.
```
rm /var/lib/instance_ID/alias/cert8.db

rm /var/lib/instance_ID/alias/key3.db
```

Copy the certificate and key security databases from the old server to the new server.

cp old_server_root/alias/cert-old_OCSP_instance-cert8.db 
/var/lib/instance_ID/alias/cert8.db

cp old_server_root/alias/cert-old_OCSP_instance-key3.db 
/var/lib/instance_ID/alias/key3.db

Log into the new server as the Certificate System user, and open the Certificate System alias/ directory.
```
cd /var/lib/instance_ID/alias/
```
Log in as root, and set the file user and group to the Certificate System user and group.
```
su

chown user:group cert8.db

chown user:group key3.db
```
Log out as root. As the Certificate System user, change the permissions on the files.
```
chmod 00600 cert8.db

chmod 00600 key3.db
```

List the certificates stored in the old security databases by using the certutil command. In this example, -L lists the certificates.

certutil -L -d . 

Server-Cert cert-old_OCSP_instance cu,cu,cu
caSigningCert cert-old_OCSP_instance CT,c,
ocspSigningCert cert-old_OCSP_instance cu,cu,cu

pk12util -o ServerCert.p12 -n "Server-Cert cert-old_OCSP_instance" -d . 

Enter Password or Pin for "NSS Certificate DB":********
Enter password for PKCS12 file: ********
Re-enter password: ********
pk12util: PKCS12 EXPORT SUCCESSFUL

pk12util -o ocspSigningCert.p12 -n "ocspSigningCert cert-old_OCSP_instance" -d . 

Enter Password or Pin for "NSS Certificate DB":********
Enter password for PKCS12 file: ********
Re-enter password: ********
pk12util: PKCS12 EXPORT SUCCESSFUL

NOTE

The old security databases may contain additional public/private key pairs; these can also be extracted using pk12util.

Export the public key using the certutil tool; -L lists the named certificate, -n sets the name of the file and the old prefix, and -a outputs the information to a base-64 file.
```
certutil -L -n "caSigningCert cert-old_OCSP_instance" -d . -a > caSigningCert.b64
```
NOTE

The old security databases may contain additional public keys; these can also be exported using the certutil tool.
Delete the old security databases.
```
rm cert8.db

rm key3.db
```

modutil -nocertdb -dbdir . -add new_HSM_token_name -libfile 
new_HSM_library_path/new_HSM_library

Identify the new HSM slot name.
```
modutil -dbdir . -nocertdb -list
```
Create new security databases.
```
certutil -N -d . 
```

Import the public/private key pairs of each entry from the PKCS #12 files into the new HSM.

pk12util -i ServerCert.p12 -d . -h new_HSM_slot_name

Enter Password or Pin for "new_HSM_slot_name":********
Enter password for PKCS12 file: ********
pk12util: PKCS12 IMPORT SUCCESSFUL

pk12util -i ocspSigningCert.p12 -d . -h new_HSM_slot_name

Enter Password or Pin for "new_HSM_slot_name":********
Enter password for PKCS12 file: ********
pk12util: PKCS12 IMPORT SUCCESSFUL

Optionally, delete the PKCS #12 files.

rm ServerCert.p12

rm ocspSigningCert.p12

Set the trust bits on the public/private key pairs that were imported into the new HSM.

certutil -M -n "new_HSM_slot_name:Server-Cert cert-old_OCSP_instance" 
-t "cu,cu,cu" -d . -h new_HSM_token_name

certutil -M -n :new_HSM_slot_name:ocspSigningCert cert-old_OCSP_instance" 
-t "cu,cu,cu" -d . -h new_HSM_token_name

Import the public key from the base-64 file into the new HSM, and set the trust bits.

certutil -A -n "new_HSM_slot_name:caSigningCert cert-old_OCSP_instance"
 -t "CT,c," -d . -h new_HSM_token_name -i caSigningCert.b64

Optionally, delete the base-64 file.
```
rm caSigningCert.b64
```

Open the CS.cfg configuration file.

cd /var/lib/instance_ID/conf/

vi CS.cfg

Edit the ocsp.signing.certnickname attribute to reflect the new subsystem information.
```
ocsp.signing.certnickname=new_HSM_slot_name:ocspSigningCert cert-old_OCSP_instance
```
NOTE

The caSigningCert is not referenced in the CS.cfg file.
In the same directory, edit the serverCertNick.conf file to contain the old certificate nickname. For example:
```
vi serverCertNick.conf

new_HSM_slot_name:Server-Cert cert-old_OCSP_instance
```

7.6.3.3. Case III: HSM to Security Databases Migration

Extract the public/private key pairs from the HSM. The format for the extracted key pairs should be portable, such as a PKCS #12 file.

The pk12util tool provided by the Certificate System cannot extract public/private key pairs from an HSM because of requirements in the FIPS 140-1 standard which protect the private key portion of an entry. To extract this information, contact the HSM vendor for more information. The extracted keys should not have any dependencies, such as nickname prefixes, on the HSM.

Copy the extracted public/private key pairs from the old server to the new server.

cp old_server_root/alias/ServerCert.p12 
/var/lib/instance_ID/alias/ServerCert.p12

cp old_server_root/alias/ocspSigningCert.p12 
/var/lib/instance_ID/alias/ocspSigningCert.p12

Extract the public key of the old_HSM_slot_name:caSigningCert cert-old_OCSP_instance from the old security databases and save the base-64 encoded output to a file called caSigningCert.b64.
1. Open the old Certificate System alias/ directory.
```
cd old_server_root/alias
```
2. Set the LD_LIBRARY_PATH environment variable to search the Certificate System libraries.
```
LD_LIBRARY_PATH=old_server_root/bin/cert/lib

export LD_LIBRARY_PATH
```
3. Use the old Certificate System certutil tool to identify the old HSM slot name.
```
old_server_root/bin/cert/tools/certutil -U -d .
```
4. Use the old Certificate System certutil tool to extract the public key from the security databases and save the base-64 output to a file.
```
old_server_root/bin/cert/tools/certutil -L
 -n "old_HSM_slot_name:caSigningCert cert-old_OCSP_instance"
 -d . -h old_HSM_token_name -a > caSigningCert.b64
```
5. Copy the key information from the old server to the new server.
```
cp old_server_root/alias/caSigningCert.b64 
/var/lib/instance_ID/alias/caSigningCert.b64
```
Log into the new server as the Certificate System user, and open the Certificate System alias/ directory.
```
cd /var/lib/instance_ID/alias/
```

su

chown user:group ServerCert.p12

chown user:group ocspSigningCert.p12

chown user:group caSigningCert.b64

Log out as root. As the Certificate System user, change the permissions on the files.

chmod 00600 ServerCert.p12

chmod 00600 ocspSigningCert.p12

chmod 00600 caSigningCert.b64

Import the public/private key pairs of each entry from the PKCS #12 files into the new security databases.

pk12util -i ServerCert.p12 -d .

Enter Password or Pin for "NSS Certificate DB":********
Enter password for PKCS12 file: ********
pk12util: PKCS12 IMPORT SUCCESSFUL

pk12util -i ocspSigningCert.p12 -d . 

Enter Password or Pin for "NSS Certificate DB":********
Enter password for PKCS12 file: ********
pk12util: PKCS12 IMPORT SUCCESSFUL

Optionally, delete the PKCS #12 files.

rm ServerCert.p12

rm ocspSigningCert.p12

Set the trust bits on the public/private key pairs that were imported into the new security databases.

certutil -M -n "Server-Cert cert-old_OCSP_instance" 
-t "cu,cu,cu" -d .

certutil -M -n "ocspSigningCert cert-old_OCSP_instance" 
-t "cu,cu,cu" -d .

Import the public key from the base-64 file, and set the trust bits.

certutil -A -n "caSigningCert cert-old_OCSP_instance"
 -t "CT,c," -d . -i caSigningCert.b64

Optionally, delete the base-64 file.
```
rm caSigningCert.b64
```

Open the CS.cfg configuration file.

cd /var/lib/instance_ID/conf/

vi CS.cfg

Edit the ocsp.signing.certnickname attribute to reflect the new subsystem information.
```
ocsp.signing.certnickname=ocspSigningCert cert-old_OCSP_instance
```
NOTE

The caSigningCert is not referenced in the CS.cfg file.
In the same directory, edit the serverCertNick.conf file to contain the old certificate nickname. For example:
```
vi serverCertNick.c
```