pk12util: PKCS12 IMPORT SUCCESSFUL
pk12util -i ocspSigningCert.p12 -d . -h new_HSM_slot_name
Enter Password or Pin for "new_HSM_slot_name":********
Enter password for PKCS12 file: ********
pk12util: PKCS12 IMPORT SUCCESSFUL
16.Optionally, delete the PKCS #12 files.
rm ServerCert.p12
rm ocspSigningCert.p12
17.Set the trust bits on the public/private key pairs that were imported into the new HSM.
certutil -M -n "new_HSM_slot_name:Server-Cert cert-old_OCSP_instance" -t
"cu,cu,cu" -d .
-h new_HSM_token_name
certutil -M -n "new_HSM_slot_name:ocspSigningCert cert-old_OCSP_instance" -t
"cu,cu,cu" -d .
-h new_HSM_token_name
18.Import the public key from the base-64 file into the new HSM, and set the trust bits.
certutil -A -n "new_HSM_slot_name:caSigningCert cert-old_OCSP_instance"
-t "CT,c," -d . -h new_HSM_token_name -i caSigningCert.b64
19.Optionally, delete the base-64 file.
rm caSigningCert.b64
20.Open the
CS.cfg
configuration file in the
/var/lib/
instance_ID
/conf/
directory.
21.Edit the
ocsp.signing.certnickname
attribute to reflect the 7.3 OCSP instance.
ocsp.signing.certnickname=new_HSM_slot_name:ocspSigningCert
cert-old_OCSP_instance
NOTE
The
caSigningCert
is not referenced in the
CS.cfg
file.
Chapter 5. Step 4: Migrating Security Databases
42