User manual REDHAT CERTIFICATE SYSTEM 6.0 MIGRATION GUIDE

[. . . ] Red Hat Certificate System Migration Guide: 6. x to 7. 3 6. 0 Matthew Harmsen ISBN: N/A Publication date: March 12, 2008 Red Hat Certificate System This migration guide provides in-depth procedures to migrate subsystems, user information, and certificate and key materials from Netscape Certificate Management System 6. 0, 6. 1, and 6. 2 to Red Hat Certificate System 7. 3. Red Hat Certificate System: Migration Guide: 6. x to 7. 3 Author Matthew Harmsen Editor Ella Deon Lackey Copyright © 2008 Red Hat, Inc. <mharmsen@redhat. com> <dlackey@redhat. com> Copyright © 2008 Red Hat. This material may only be distributed subject to the terms and conditions set forth in the Open Publication License, V1. 0 or later with the restrictions noted below (the latest version of the OPL is presently available at http://www. opencontent. org/openpub/). Distribution of substantively modified versions of this document is prohibited without the explicit permission of the copyright holder. Distribution of the work or derivative of the work in any standard (paper) book form for commercial purposes is prohibited unless prior permission is obtained from the copyright holder. [. . . ] Extract the public/private key pairs from the HSM. The format for the extracted key pairs should be portable, such as a PKCS #12 file. The pk12util tool provided by Certificate System cannot extract public/private key pairs from an HSM because of requirements in the FIPS 140-1 standard which protect the private key. To extract this information, contact the HSM vendor. The extracted keys should not have any dependencies, such as nickname prefixes, on the HSM. Copy the extracted key pairs from the 6. x server to the 7. 3 server. cp old_server_root/alias/ServerCert. p12 /var/lib/instance_ID/alias/ServerCert. p12 cp old_server_root/alias/kraStorageCert. p12 /var/lib/instance_ID/alias/kraStorageCert. p12 cp old_server_root/alias/kraTransportCert. p12 /var/lib/instance_ID/alias/kraTransportCert. p12 33 Chapter 5. Step 4: Migrating Security Databases 3. Extract the public key of the CA signing certificate from the old security databases and save the base-64 encoded output to a file called caSigningCert. b64. Open the Certificate Management System 6. x /alias directory. cd old_server_root/alias b. Set the LD_LIBRARY_PATH environment variable to search the Certificate System libraries. LD_LIBRARY_PATH=old_server_root/bin/cert/lib export LD_LIBRARY_PATH c. Use the Certificate Management System 6. x certutil tool to identify the old HSM slot name. old_server_root/bin/cert/tools/certutil -U -d . d. Use the Certificate Management System 6. x certutil tool to extract the public key from the security databases and save the base-64 output to a file. old_server_root/bin/cert/tools/certutil -L -n "old_HSM_slot_name:caSigningCert cert-old_DRM_instance" -d . -h old_HSM_token_name -a > caSigningCert. b64 e. Copy the key information from the 6. x server to the 7. 3 server. cp old_server_root/alias/caSigningCert. b64 /var/lib/instance_ID/alias/caSigningCert. b64 4. Open the Certificate System /alias directory. cd /var/lib/instance_ID/alias/ 5. Set the file user and group to the Certificate System user and group. # chown user:group ServerCert. p12 # chown user:group kraStorageCert. p12 # chown user:group kraTransportCert. p12 34 Option 4: HSM to HSM Migration # chown user:group caSigningCert. b64 7. Log out as root, and log back into the system as the Certificate System user. Set the file permissions. chmod 00600 ServerCert. p12 chmod 00600 kraStorageCert. p12 chmod 00600 kraTransportCert. p12 chmod 00600 caSigningCert. b64 9. Register the new HSM in the 7. 3 token database. modutil -nocertdb -dbdir . -add new_HSM_token_name -libfile new_HSM_library_path/new_HSM_library 10. Identify the new HSM slot name. modutil -dbdir . -nocertdb -list 11. Import the public/private key pairs of each entry from the PKCS #12 files into the new HSM. pk12util -i ServerCert. p12 -d . -h new_HSM_slot_name Enter Password or Pin for "new_HSM_slot_name":******** Enter password for PKCS12 file: ******** pk12util: PKCS12 IMPORT SUCCESSFUL pk12util -i kraStorageCert. p12 -d . [. . . ] Select the newly-imported Certificate System instance, and log into the Console for the instance. Select the System Keys and Certificates option from the menu on the left. Select the Local Certificates tab on the right. Click the Add/Renew button to launch the Certificate Setup Wizard. 65 Chapter 10. [. . . ]