User manual REDHAT CERTIFICATE SYSTEM 7.0 MIGRATION GUIDE

[. . . ] Red Hat Certificate System Migration Guide: 7. x to 7. 3 7. 0 Matthew Harmsen ISBN: N/A Publication date: March 12, 2008 Red Hat Certificate System This migration guide provides in-depth procedures to migrate subsystems, user information, and certificate and key materials from Netscape Certificate Management System 7. 0 and Red Hat Certificate System 7. 1 and 7. 2 to Red Hat Certificate System 7. 3. Red Hat Certificate System: Migration Guide: 7. x to 7. 3 Author Matthew Harmsen Editor Ella Deon Lackey Copyright © 2008 Red Hat, Inc. <mharmsen@redhat. com> <dlackey@redhat. com> Copyright © 2008 Red Hat. This material may only be distributed subject to the terms and conditions set forth in the Open Publication License, V1. 0 or later with the restrictions noted below (the latest version of the OPL is presently available at http://www. opencontent. org/openpub/). Distribution of substantively modified versions of this document is prohibited without the explicit permission of the copyright holder. Distribution of the work or derivative of the work in any standard (paper) book form for commercial purposes is prohibited unless prior permission is obtained from the copyright holder. [. . . ] Option 3: HSM to Security Databases Migration 1. Extract the public/private key pairs from the HSM. The format for the extracted key pairs should be portable, such as a PKCS #12 file. The pk12util tool provided by Certificate System cannot extract public/private key pairs from an HSM because of requirements in the FIPS 140-1 standard which protect the private key. To extract this information, contact the HSM vendor. The extracted keys should not have any dependencies, such as nickname prefixes, on the HSM. Copy the extracted key pairs from the 7. x server to the 7. 3 server. cp old_server_root/alias/ServerCert. p12 /var/lib/instance_ID/alias/ServerCert. p12 cp old_server_root/alias/ocspSigningCert. p12 /var/lib/instance_ID/alias/ocspSigningCert. p12 41 Chapter 5. Step 4: Migrating Security Databases 3. Extract the public key of the CA signing certificate from the 7. x security databases and save the base-64 encoded output to a file called caSigningCert. b64. Open the Certificate Management System 7. x /alias directory. cd old_server_root/alias b. Set the LD_LIBRARY_PATH environment variable to search the Certificate System libraries. LD_LIBRARY_PATH=old_server_root/bin/cert/lib export LD_LIBRARY_PATH c. Use the Certificate Management System 7. x certutil tool to identify the old HSM slot name. old_server_root/bin/cert/tools/certutil -U -d . d. Use the Certificate Management System 7. x certutil tool to extract the public key from the security databases and save the base-64 output to a file. old_server_root/bin/cert/tools/certutil -L -n "old_HSM_slot_name:caSigningCert cert-old_OCSP_instance" -d . -h old_HSM_token_name -a > caSigningCert. b64 e. Copy the key information from the 7. x server to the 7. 3 server. cp old_server_root/alias/caSigningCert. b64 /var/lib/instance_ID/alias/caSigningCert. b64 4. Open the Certificate System /alias directory. cd /var/lib/instance_ID/alias/ 5. Set the file user and group to the Certificate System user and group. # chown user:group ServerCert. p12 # chown user:group ocspSigningCert. p12 42 Migration # chown user:group caSigningCert. b64 7. As the Certificate System user, set the file permissions. chmod 00600 ServerCert. p12 chmod 00600 ocspSigningCert. p12 chmod 00600 caSigningCert. b64 8. Import the public/private key pairs of each entry from the PKCS #12 files into the 7. 3 security databases. pk12util -i ServerCert. p12 -d . Enter Password or Pin for "NSS Certificate DB":******** Enter password for PKCS12 file: ******** pk12util: PKCS12 IMPORT SUCCESSFUL pk12util -i ocspSigningCert. p12 -d . Enter Password or Pin for "NSS Certificate DB":******** Enter password for PKCS12 file: ******** pk12util: PKCS12 IMPORT SUCCESSFUL 9. Optionally, delete the PKCS #12 files. rm ServerCert. p12 rm ocspSigningCert. p12 10. Set the trust bits on the public/private key pairs that were imported into the 7. 3 security databases. certutil -M -n "Server-Cert cert-old_OCSP_instance" -t "cu, cu, cu" -d . [. . . ] Select the newly-imported Certificate System instance, and log into the Console for the instance. Select the System Keys and Certificates option from the menu on the left. Select the Local Certificates tab on the right. Click the Add/Renew button to launch the Certificate Setup Wizard. 77 Chapter 10. [. . . ]