Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE User manual
Red Hat Certificate System Migration
Guide 7.2
Red Hat Certificate System Migration Guide 7.2:
Copyright © 2006 Red Hat, Inc.
Table of Contents
1. Introduction to the Certificate System Migration Utility .......................................................................... 1
1. History of Certificate System Releases ......................................................................................... 1
2. Migration Overview ......................................................................................................................... 3
3. Considerations before Migration ......................................................................................................... 7
4. Step 1: Preparing the Older Server Instance for Migration ....................................................................... 8
5. Step 2: Installing the New Certificate System .......................................................................................10
6. Step 3: Stopping the New Certificate System Servers .............................................................................11
7. Step 4: Migrating Security Databases ..................................................................................................12
1. Certificate Management System 4.1 Certificate Authority (CA) Migration .........................................12
1.1. Case I: Security Databases to Security Databases Migration .................................................12
1.2. Case II: Security Databases to HSM Migration ..................................................................13
1.3. Case III: HSM to Security Databases Migration .................................................................16
1.4. Case IV: HSM to HSM Migration ...................................................................................17
2. Certificate Management System 4.2 ...........................................................................................19
2.1. 4.2 Certificate Authority (CA) Migration ..........................................................................19
2.1.1. Case I: Security Databases to Security Databases Migration .......................................19
2.1.2. Case II: Security Databases to HSM Migration ........................................................21
2.1.3. Case III: HSM to Security Databases Migration .......................................................23
2.1.4. Case IV: HSM to HSM Migration .........................................................................25
2.2. 4.2 Data Recovery Manager (DRM) Migration ..................................................................26
2.2.1. Case I: Security Databases to Security Databases Migration .......................................26
2.2.2. Case II: Security Databases to HSM Migration ........................................................28
2.2.3. Case III: HSM to Security Databases Migration .......................................................31
2.2.4. Case IV: HSM to HSM Migration .........................................................................33
3. Netscape Certificate Management System 4.2 (SP 2) and 4.5 and iPlanet Certificate Management System
4.7 ...........................................................................................................................................36
3.1. 4.2SP2, 4.5, and 4.7 Certificate Authority (CA) Migration ...................................................36
3.1.1. Case I: Security Databases to Security Databases Migration .......................................36
3.1.2. Case II: Security Databases to HSM Migration ........................................................37
3.1.3. Case III: HSM to Security Databases Migration .......................................................40
3.1.4. Case IV: HSM to HSM Migration .........................................................................42
3.2. 4.2SP2, 4.5, and 4.7 Data Recovery Manager (DRM) Migration ............................................44
3.2.1. Case I: Security Databases to Security Databases Migration .......................................44
3.2.2. Case II: Security Databases to HSM Migration ........................................................45
3.2.3. Case III: HSM to Security Databases Migration .......................................................48
3.2.4. Case IV: HSM to HSM Migration .........................................................................51
3.3. 4.2SP2, 4.5, and 4.7 Online Certificate Status Protocol (OCSP) Migration ...............................53
3.3.1. Case I: Security Databases to Security Databases Migration .......................................53
3.3.2. Case II: Security Databases to HSM Migration ........................................................55
3.3.3. Case III: HSM to Security Databases Migration .......................................................57
3.3.4. Case IV: HSM to HSM Migration .........................................................................59
4. Certificate Management System 6.0 ...........................................................................................62
4.1. 6.0 Certificate Authority (CA) Migration ..........................................................................62
4.1.1. Case I: Security Databases to Security Databases Migration .......................................62
4.1.2. Case II: Security Databases to HSM Migration ........................................................63
4.1.3. Case III: HSM to Security Databases Migration .......................................................66
4.1.4. Case IV: HSM to HSM Migration .........................................................................68
4.2. 6.0 Data Recovery Manager (DRM) Migration ..................................................................70
4.2.1. Case I: Security Databases to Security Databases Migration .......................................70
4.2.2. Case II: Security Databases to HSM Migration ........................................................71
4.2.3. Case III: HSM to Security Databases Migration .......................................................74
4.2.4. Case IV: HSM to HSM Migration .........................................................................77
4.3. 6.0 Online Certificate Status Protocol Responder (OCSP) Migration ......................................79
4.3.1. Case I: Security Databases to Security Databases Migration .......................................79
4.3.2. Case II: Security Databases to HSM Migration ........................................................81
4.3.3. Case III: HSM to Security Databases Migration .......................................................83
5. Certificate Management System 6.1 and 6.2 .................................................................................86
5.1. 6.1 and 6.2 Certificate Authority (CA) Migration ...............................................................86
5.1.1. Case I: Security Databases to Security Databases Migration .......................................86
5.1.2. Case II: Security Databases to HSM Migration ........................................................87
5.1.3. Case III: HSM to Security Databases Migration .......................................................90
5.1.4. Case IV: HSM to HSM Migration .........................................................................92
iv
5.2. 6.1 and 6.2 Data Recovery Manager (DRM) Migration ........................................................94
5.2.1. Case I: Security Databases to Security Databases Migration .......................................94
5.2.2. Case II: Security Databases to HSM Migration ........................................................95
5.2.3. Case III: HSM to Security Databases Migration .......................................................98
5.2.4. Case IV: HSM to HSM Migration .......................................................................101
5.3. 6.1 and 6.2 Online Certificate Status Protocol Manager (OCSP) Migration ............................103
5.3.1. Case I: Security Databases to Security Databases Migration .....................................103
5.3.2. Case II: Security Databases to HSM Migration ......................................................105
5.3.3. Case III: HSM to Security Databases Migration .....................................................107
5.3.4. Case IV: HSM to HSM Migration .......................................................................109
6. Certificate Management System 7.0 and Certificate System 7.1 .....................................................112
6.1. 7.0 and 7.1 Certificate Authority (CA) Migration .............................................................112
6.1.1. Case I: Security Databases to Security Databases Migration .....................................112
6.1.2. Case II: Security Databases to HSM Migration ......................................................113
6.1.3. Case III: HSM to Security Databases Migration .....................................................116
6.1.4. Case IV: HSM to HSM Migration .......................................................................118
6.2. 7.0 and 7.1 Data Recover Manager (DRM) Migration .......................................................120
6.2.1. Case I: Security Databases to Security Databases Migration .....................................121
6.2.2. Case II: Security Databases to HSM Migration ......................................................122
6.2.3. Case III: HSM to Security Databases Migration .....................................................125
6.2.4. Case IV: HSM to HSM Migration .......................................................................127
6.3. 7.0 and 7.1 Online Certificate Status Protocol Manager (OCSP) Migration ............................130
6.3.1. Case I: Security Databases to Security Databases Migration .....................................130
6.3.2. Case II: Security Databases to HSM Migration ......................................................131
6.3.3. Case III: HSM to Security Databases Migration .....................................................134
6.3.4. Case IV: HSM to HSM Migration .......................................................................136
6.4. 7.0 and 7.1 Token Key Service (TKS) Migration ..............................................................138
6.4.1. Case I: Security Databases to Security Databases Migration .....................................138
6.4.2. Case II: Security Databases to HSM Migration ......................................................140
6.4.3. Case III: HSM to Security Databases Migration .....................................................143
6.4.4. Case IV: HSM to HSM Migration .......................................................................146
8. Step 5: Migrating Password Cache Data ............................................................................................151
1. Migrating 4.1 Password Cache Data .........................................................................................151
2. Migrating 4.2, 4.2 (SP 2), 4.5, and 4.7 Password Cache Data .........................................................151
3. Migrating 6.0, 6.1, 6.2, 7.0, and 7.1 Password Cache Data ............................................................152
9. Step 6: Migrating Internal Databases ................................................................................................154
1. Migrating Internal Databases for 4.1 .........................................................................................154
2. Migrating Internal Databases for 4.2 .........................................................................................157
3. Migrating Internal Databases for 4.2 (SP 2) ...............................................................................161
4. Migrating Internal Databases for 4.5 .........................................................................................164
5. Migrating Internal Databases for 4.7 .........................................................................................168
6. Migrating Internal Databases for 6.0 .........................................................................................171
7. Migrating Internal Databases for 6.01 .......................................................................................175
8. Migrating Internal Databases for 6.1 .........................................................................................179
9. Migrating Internal Databases for 6.2 .........................................................................................182
10. Migrating Internal Databases for 7.0 .......................................................................................186
11. Migrating Internal Databases for 7.1 .......................................................................................190
10. Step 7: Customizing User Data (Non-Console) .................................................................................195
11. Step 8: Starting All New Certificate System Instances ........................................................................196
12. Step 9: Renewing Certificate System Server Certificates .....................................................................197
1. Renewing a CA SSL Server Certificate by Signing It with the CA Signing Certificate ........................197
2. Renewing a CA SSL Server Certificate by Issuing an SSL Server Certificate Request ........................198
3. Renewing a DRM, OCSP, or TKS SSL Server Certificate ............................................................199
13. Step 10: Customizing User Data (Console) .......................................................................................201
14. Step 11: Verifying Migration .........................................................................................................202
15. Detailed Example of a Certificate System Migration ..........................................................................203
1. CA Migration .......................................................................................................................204
1.1. Step 1: Preparing the Old Certificate System ...................................................................204
1.2. Step 2: Creating a New Certificate System Installation ......................................................205
1.3. Step 3: Stopping All New Certificate System Instances ......................................................205
1.4. Step 4: Migrating Security Databases .............................................................................206
1.5. Step 5: Migrating Password Cache Data .........................................................................208
1.6. Step 6: Migrating Internal Databases ..............................................................................209
1.7. Step 7: Customizing User Data (Non-Console) .................................................................213
1.8. Step 8: Starting All New Certificate System Instances .......................................................213
1.9. Step 9: Generating New Certificate System Server Certificates ........................................... 213
1.10. Step 10: Customizing User Data (Console) ....................................................................214
1.11. Step 11: After Migration ............................................................................................214
Red Hat Certificate System Migration
Guide 7.2
v
2. DRM Migration ....................................................................................................................214
2.1. Step 1: Preparing the Old Server ...................................................................................215
2.2. Step 2: Creating a New Certificate System Installation ......................................................215
2.3. Step 3: Stopping All New Certificate System Instances ......................................................215
2.4. Step 4: Migrating Security Databases .............................................................................215
2.5. Step 5: Migrating Password Cache Data .........................................................................219
2.6. Step 6: Migrating Internal Databases ..............................................................................219
2.7. Step 7: Customizing User Data (Non-Console) .................................................................222
2.8. Step 8: Starting All New Certificate System Instances .......................................................222
2.9. Step 9: Renewing the Certificate System Server Certificates ...............................................222
2.10. Step 10: Customizing User Data (Console) ....................................................................223
2.11. Step 11: Verifying Migration ......................................................................................223
3. OCSP Migration ...................................................................................................................224
3.1. Step 1: Preparing the Old Server ...................................................................................224
3.2. Step 2: Creating a New Certificate System Installation ......................................................224
3.3. Step 3: Stopping All New Certificate System Instances ......................................................224
3.4. Step 4: Migrating Security Databases .............................................................................225
3.5. Step 5: Migrating Password Cache Data .........................................................................227
3.6. Step 6: Migration of Internal Databases ..........................................................................228
3.7. Step 7: Customizing User Data (Non-Console) .................................................................231
3.8. Step 8: Starting All New Certificate System Instances .......................................................231
3.9. Step 9: Renewing the Certificate System Server Certificates ...............................................231
3.10. Step 10: Customizing User Data (Console) ....................................................................232
3.11. Step 11: Verifying Migration ......................................................................................232
Index .............................................................................................................................................234
Red Hat Certificate System Migration
Guide 7.2
vi
Chapter 1. Introduction to the Certificate
System Migration Utility
Previous installations of Red Hat Certificate System, Netscape Certificate Management System (CMS), or iPlanet Certific-
ate Management System (iCMS, also known as SunTMONE Certificate Server) can be migrated to Red Hat Certificate
System version 7.2 or later using the Red Hat Certificate System migration utility.
This manual covers how to migrate legacy Certificate Systems to Red Hat Certificate System version 7.2. The first sec-
tions provide an overview of migration and of the Red Hat Certificate System migration utility, as well as some considera-
tions to review before beginning migration. The next sections cover the steps of migration for all supported legacy ver-
sions, including an example migration from Netscape Certificate Management System 6.1 (SP 4) on Solaris 8 to Red Hat
Certificate System 7.2 on Red Hat Enterprise Linux (RHEL) 4.
NOTE
Throughout this manual, all system instances are referred to as Certificate System, unless the specific version or
product name is required.
1. History of Certificate System Releases
This table summarizes all Red Hat Certificate System and Netscape and iPlanet Certificate Management System releases
through Red Hat Certificate System 7.2:
Release Date Product Name Service Packs
January 24, 1997 Netscape Certificate Server 1.0 1.01, 1.02, 1.03, and 1.0 (SP 1)
June 24, 1999 Netscape Certificate Management Sys-
tem 4.1 4.1 (SP 1)
August 2, 2000 Netscape Certificate Management Sys-
tem 4.2 4.2 (SP 1) and 4.2 (SP 1a)
March 29, 2001 Netscape Certificate Management Sys-
tem 4.2 4.2 (SP 2)
October 10, 2001 Netscape Certificate Management Sys-
tem 4.5
March 28, 2002 Netscape Certificate Management Sys-
tem 6.0 6.01
June 3, 2002 iPlanet Certificate Management Sys-
tem 4.7 4.7 (SP 1)
March 12, 2003 Netscape Certificate Management Sys-
tem 6.1 6.1 (SP 1), 6.1 (SP 2), 6.1 (SP 3), 6.1
(SP 3.1), and 6.1 (SP 4)
June 17, 2003 Netscape Certificate Management Sys-
tem 6.2 6.2 (SP 1)
November 30, 2004 Netscape Certificate Management Sys-
tem 7.0
May 27, 2005 Red Hat Certificate System 7.1
1 Chapter 1. Introduction to the Certificate
Release Date Product Name Service Packs
November 6, 2006 Red Hat Certificate System 7.2
Table 1.1. Summary of Certificate System Releases
Every version of Certificate System has the ability to extract data from the installation of a previous version and migrate
this data to the newer version. The capability of the migration tool varies from version to version. The following points
should be considered when planning migration between versions:
• Product downgrade, extracting information from a newer version to import into an older version, is not supported by
the migration utility in any version of the Certificate System.
• Red Hat Certificate System 7.2 does not support in-place upgrades. Therefore, for versions 6.0 and later, the migration
tool is the only way to migrate data from a previous installation to a newer one. This is true even when the installations
are on the same machine, running the same platform. For example, a Certificate Management System 6.2 installation
on a machine named delta.example.com running Red Hat Enterprise Linux AS has to be migrated to a new Red
Hat Certificate System 7.2 installation, even if the 7.2 installation is on the same machine named
delta.example.com running Red Hat Enterprise Linux AS. This is accomplished simply by supplying a different
installation directory for each instance.
1. History of Certificate System
Releases
2 Chapter 1. Introduction to the Certificate
Chapter 2. Migration Overview
The migration process is staged to migrate the different subsets of Certificate System information separately. The general
process is as follows:
1. Install the new Certificate System instances.
2. Migrate the old Certificate System security databases, which contains the key and certificate materials for the server,
to the new Certificate System instances.
3. Migrate the password database information for the old Certificate System to the new Certificate System password
file.
4. Migrate the old Certificate System internal databases, which contain user and group entries, to the new Certificate
System.
5. Migrate customized server configuration data from the old server to the new Certificate System.
6. Renew all migrated certificates.
The Certificate System migration utility contains several separate platform-independent tools, but only two are required
for migrating a Certificate System installation: one program to convert all of the data in an LDIF that was exported from
the older installation into a normalized LDIF text file, and another program to convert the normalized LDIF text file into
an LDIF data file that can be imported into the newer Certificate System.
Certificate System migration export utilities are files named versionToTxt:41ToTxt,42ToTxt,42SP2ToTxt,
45ToTxt,47ToTxt,60ToTxt,61ToTxt,62ToTxt,70ToTxt,71ToTxt, and 72ToTxt. Each export tool con-
tains the following files.
• Two precompiled Java classes
• An tool shell script
• An tool batch script
• The Java source file that produced the precompiled Java classes
• A sample shell script that can compile the source file
• A sample batch script that can compile the source file
The export file to use is determined by the older version of the Certificate System being migrated.
Each compilation batch and shell script is dependent on a specific version of the Java software development kit as defined
in the comments.
Certificate System migration import utilities are files named TxtToversion:TxtTo60,TxtTo61,TxtTo62,
TxtTo70,TxtTo71, and TxtTo72. Each import tool contains the following files.
• Three precompiled Java classes
• An tool shell script
• An tool batch script
• The Java source file that produced the precompiled Java classes
• A sample shell script that can compile the source file
• A sample batch script that can compile the source file
Each compilation batch and shell script is dependent upon a specific version of the Java software development kit as
defined in the comments.
NOTE
3 Chapter 2. Migration Overview
The scripts to use for migration to Certificate System version 7.2 are in the TxtTo72 directory.
The following table defines the migration export programs and corresponding import programs. An X indicates compatib-
ility between the export and import programs.
Migration Import Package
Migration
Export
Package
TxtTo60 TxtTo61 TxtTo62 TxtTo70 TxtTo71
41ToTxt X X X X X
42ToTxt X X X X X
42SP2ToTxt X X X X X
45ToTxt X X X X X
47ToTxt X X X X X
60ToTxt X X X X X
61ToTxt - X X X X
62ToTxt - - X X X
70ToTxt - - - X X
71ToTxt - - - - X
72ToTxt - - - - -
Table 2.1. Migration Import and Export Utility Compatibility Matrix
With the exception of Certificate Management System 4.2 (SP 2) which was itself a major version, the major version num-
ber of the migration export/import package is applied to all service packs for that version. (This also applies to installations
which contain hot-fixes, individual bug fixes made after a service pack is released.) For example, the 42ToTxt export
package should be used for Certificate Management Systems 4.2, 4.2 (SP 1), and 4.2 (SP 1a), regardless of whether any of
these versions contained individual hot-fixes. For Certificate Management System 6.01, the 60ToTxt program should be
used to export data.
Certificate System installations may exist on different platforms. Additionally, each Certificate System installation may
contain more than one type of subsystem or more than one instance of a type of subsystem. The following subsystems may
be present in a Certificate System installation:
• Certificate Authority (CA)
• Data Recovery Manager (DRM)
• Online Certificate Status Protocol (OCSP) Manager
• Registration Authority (RA)
• Token Key Service (TKS)
4 Chapter 2. Migration Overview
• Token Processing System (TPS)
The following table defines the platforms and subsystems supported by different versions of Certificate System:
Product (including service packs
and hot-fixes) Subsystems Platforms
Netscape Certificate Server 1.0 CA Digital UNIX 3.2C/4.0B, HP-UX
10.10, IBM AIX 4.1.4/4.2, IRIX
5.3/6.2, Solaris 2.4/2.5.1, Windows
NT 3.51/4.0 [Intel], Windows NT 4.0
[Alpha]
Netscape Certificate Management Sys-
tem 4.1 CA, RA Solaris 2.5.1/2.6, Windows NT 4.0
(SP 4)[with NTFS]
Netscape Certificate Management Sys-
tem 4.2 CA, DRM, RA HP-UX B.11.00, IBM AIX 4.3.2,
OSF/1 4.0D, Solaris 2.6/2.7/8, Win-
dows NT 4.0 (SP 4/5/6), Windows
2000
Netscape Certificate Management Sys-
tem 4.2 (SP 2) CA, DRM, OCSP, RA Compaq Tru64 4.0D, HP-UX B.11.00,
IBM AIX 4.3.3, Solaris 2.6/2.7/8,
Windows NT 4.0 (SP 5/6)
Netscape Certificate Management Sys-
tem 4.5 CA, DRM, OCSP, RA Solaris 2.6/8, Windows NT 4.0 (SP
6a), Windows 2000 (SP 2)
iPlanet Certificate Management Sys-
tem 4.7 CA, DRM, OCSP, RA Solaris 8, Windows NT 4.0 (SP 6a),
Windows 2000
Netscape Certificate Management Sys-
tem 6.0 CA, DRM, OCSP, RA Solaris 8, Windows 2000 (SP 2)
Netscape Certificate Management Sys-
tem 6.01 aCA, DRM, OCSP, RA Red Hat Linux 7.2, Red Hat Linux
Advanced Server 2.1, Solaris 8
Netscape Certificate Management Sys-
tem 6.1 CA, DRM, OCSP, RA Solaris 8
Netscape Certificate Management Sys-
tem 6.2 CA, DRM, OCSP, RA Red Hat Linux Advanced Server 2.1,
Solaris 8
Netscape Certificate Management Sys-
tem 7.0 CA, DRM, OCSP, TKS, TPS Red Hat Linux Advanced Server 2.1,
Solaris 8
Red Hat Certificate System 7.1 CA, DRM, OCSP, TKS, TPS Red Hat Enterprise Linux 3 (AS/ES),
Red Hat Enterprise Linux 4 (AS/ES),
Solaris 9 [32-bit/64-bit]
Red Hat Certificate System 7.2 CA, DRM, OCSP, TKS, TPS Red Hat Enterprise Linux AS/ES 4
(i386), Red Hat Enterprise Linux AS/
ES 4 (for AMD64 and Intel EM64T),
Solaris 9 (64-bit)
Table 2.2. Certificate System Subsystem Types and Platforms
aAlthough Certificate Management System 6.01 was considered a service pack of version 6.0, Certificate Management System 6.01 is listed separately in
5 Chapter 2. Migration Overview
this table because it is supported on different platforms.
6 Chapter 2. Migration Overview
Chapter 3. Considerations before
Migration
Before migrating any subsystem from any platform, consider the following:
• Since all migrations are unique to a deployment, it is strongly recommended that the entire migration process be
planned in advance.
• Not all steps in the migration processes apply to every deployment. Follow only the steps which apply to the deploy-
ment being migrated.
• Perform all steps in the migration procedure for every instance of each subsystem being migrated. Always follow the
steps for migration in the order which they are presented in the manual, even if not every step needs to be performed.
• Perform each subsystem migration as a separate migration. Wait until one subsystem migration is complete before
starting the migration of the next subsystem.
• On Linux and UNIX systems, make sure that the file owner (user and group) and the file permissions are correct when
the file is copied between two instances. Also make sure that the target machine allows the file transfer.
• While the migration procedure refers to extracting data from a hardware security module (HSM), no Certificate System
tool can extract public/private key pairs from an HSM because of Federal Information Processing Standard (FIPS)
140-1, which protects the private key portion of an entry. Contact the HSM vendor for information on how to extract
data from an old HSM. Extracted keys should not have any dependencies, such as nickname prefixes, upon the old
HSM.
• It is possible to change the names of migrated Certificate System subsystem instances, but greater care must be taken
when extracting and renaming certain portions of the data. Because port numbers are stored in the server.xml file,
which is unaffected by subsystem migration, port numbers can be changed between instances without difficulty.
• All examples assume that the new passwords are the same as the old passwords.
• The chmod command used in the examples have the permissions 00600 (octal, no sticky bit permissions, user read/
write permissions, no group permissions, no other permissions). These are the recommended permissions, but are not
required.
The following considerations apply to a specific subsystem or a specific version of Certificate System:
• It is not possible to migrate TPS data from Netscape Certificate Management System 7.0 to Red Hat Certificate System
version 7.1 or later.
• The default key-splitting scheme used by the DRM subsystem in Certificate System 7.1 and later is not the scheme re-
quired by the DRM subsystem key recovery feature in previous versions. Currently, there is no way to migrate from
the old key-splitting scheme to the new scheme. Therefore, DRM instances in Certificate System versions older than
7.1 cannot be successfully migrated to versions 7.1 or later.
• In Certificate Management System 7.0, the RA subsystem was deprecated and replaced by the TPS subsystem, so it is
not possible to migrate RA subsystems into Certificate System versions 7.0 or later. All RA request queues should be
processed by the older-version servers into their existing CAs before beginning any CA migrations.
• Certificate Management System 4.2 contained a third-party OCSP responder called ValiCert Certificate Validation Au-
thority (VATM). It is not possible to migrate data in this component.
• Certificate Management System versions 4.1 and 4.2 contained platform-dependent migration utilities to extract Certi-
ficate Server 1.0 data from AIX, HP-UX, Solaris, and Windows NT [Intel] platforms. No migration utilities are avail-
able to migrate data from Digital UNIX, IRIX, or Windows NT [alpha] platforms.
7 Chapter 3. Considerations before
Chapter 4. Step 1: Preparing the Older
Server Instance for Migration
Before migrating a Certificate System instance, back up the Certificate System instance. When the backup process is com-
plete, then make sure that the old Certificate System, Directory Server, and Administration Server instances have been
stopped.
For commercial backup programs, do the following:
1. Stop all server instances running in the Certificate System, including all Certificate System subsystems; the Directory
Server, including all internal databases; and the Administration Server instances on the local machine.
2. Run the commercial backup facility to back up all data associated with the old Certificate System installation.
For the Certificate System backup facilities, do the following:
NOTE
Back up utilities are not included on Certificate System versions 7.2 and later, but are available on previous ver-
sions of Certificate System.
1. Run the Certificate System backup facility to back up all data associated with this old installation based upon the ver-
sion information below.
• Certificate Management System 4.1, 4.2, 4.2 (SP 2), or 4.5
For instructions to back up a Certificate Management System 4.1, 4.2, 4.2 (SP 2), or 4.5 instance, see the Certific-
ate Management System 4.x Certificate Management System Command-Line Tools Guide. This information is
located in the server_root/manual/en/cert/tools/backup.htm file.
• iPlanet Certificate Management System 4.7
For instructions to back up an iPlanet Certificate Management System 4.7 instance, refer to the documentation
provided with the product.
• Netscape Certificate Management System 6.0, 6.1, 6.2, or 7.0 and Red Hat Certificate System 7.1
For instructions to back up a versions 6.0, 6.1, 6.2, 7.0, or 7.1, see chapter 8, "Backing Up and Restoring Data," in
the Certificate Management System 6.x Certificate Management System Command-Line Tools Guide.
2. Stop all server instances running in the Certificate System, including all Certificate System subsystems; the Directory
Server, including all internal databases; and the Administration Server instances on the local machine.
Additionally, RA subsystems in older versions of Certificate System cannot be migrated to Certificate System 7.2. No up-
grade path exists for the Registration Authority (RA) subsystem because this subsystem is no longer supported. To pre-
serve the data in the RA subsystem, flush all data in RA request queues by processing it on the CA subsystem. Then stop
the RA subsystem and database so that no further data can be gathered by it.
1. Stop the RA instance.
cd /usr/netscape/servers/cert-ra
./stop-cert
2. Stop the corresponding RA internal database instance.
cd /usr/netscape/servers/slapd-ra-db
./stop-slapd
8 Chapter 4. Step 1: Preparing the Older
9 Chapter 4. Step 1: Preparing the Older
Chapter 5. Step 2: Installing the New
Certificate System
1. Install a new Certificate System 7.2 instance. All subsystem instances are installed separately; make sure that every
subsystem type which will be migrated has a corresponding new subsystem instance.
a. Obtain the appropriate packages. This can be done through the up2date command or through downloading the
ISO image from the Red Hat Certificate System 7.2 Red Hat Network channel.
b. If installing from an ISO image, run the installation utility to install the packages. This is done automatically
when using up2date.
rhpki-install -pki_subsystem=subsystem_type -pki_package_path=
/path/to/ISO image -force
2. Configure the new Certificate System instance. It is possible to change the names of migrated Certificate System sub-
system instances, but greater care must be taken when extracting and renaming certain portions of the data. Because
port numbers are stored in the server.xml file, which is unaffected by subsystem migration, port numbers can be
changed between instances without difficulty.
Go through the HTML configuration wizard for each subsystem. When the installation process is completed, the serv-
er returns a URL pointing to the configuration wizard. For example:
http://server.example.com:9080/ca/admin/console/config/login?
pin=Yc6EuvuY2OeezKeX7REk
The configuration wizard will fully configure the new subsystem instance and will generate all required certificates.
Make sure to have all necessary information when going through this wizard. All subsystems require information to
an external Red Hat Directory Server, including bind information. DRM, OCSP, TKS, and subordinate CAs require
information for the CA which will generate their subsystem certificates.
For more information on the panels in the configuration wizard, see chapter 2, "Installation and Configuration," in the
Certificate System Administration Guide.
10 Chapter 5. Step 2: Installing the New
Chapter 6. Step 3: Stopping the New
Certificate System Servers
Before beginning migration, stop all new Certificate System instances.
/etc/init.d/instance_ID stop
Stop the Directory Server.
cd /opt/redhat-ds/slapd-DS-instance
./stop-slapd
11 Chapter 6. Step 3: Stopping the New
Chapter 7. Step 4: Migrating Security
Databases
For every Certificate System subsystem instance migration, the data from the old Certificate System's certificate
(cert7.db or cert8.db) and key (key3.db) security databases must be extracted and copied into the new Certificate
System's alias/ directory. Follow the migration procedure corresponding to the Certificate System being migrated.
• Section 1, “Certificate Management System 4.1 Certificate Authority (CA) Migration”
• Section 2, “Certificate Management System 4.2”
• Section 3, “Netscape Certificate Management System 4.2 (SP 2) and 4.5 and iPlanet Certificate Management System
4.7”
• Section 4, “Certificate Management System 6.0”
• Section 5, “Certificate Management System 6.1 and 6.2”
• Section 6, “Certificate Management System 7.0 and Certificate System 7.1”
1. Certificate Management System 4.1 Certificate
Authority (CA) Migration
Determine if the Certificate Management System 4.1 Certificate Authority (CA) being migrated uses security databases,
HSM, or both. There are four possible migration scenarios; follow the appropriate process for the deployment scenario be-
ing migrated.
• Section 1.1, “Case I: Security Databases to Security Databases Migration”
• Section 1.2, “Case II: Security Databases to HSM Migration”
• Section 1.3, “Case III: HSM to Security Databases Migration”
• Section 1.4, “Case IV: HSM to HSM Migration”
1.1. Case I: Security Databases to Security Databases Mi-
gration
1. Remove all the security databases in the new Certificate System which will receive migrated data.
rm /var/lib/instance_ID/alias/cert8.db
rm /var/lib/instance_ID/alias/key3.db
2. Copy the certificate and key security databases from the old server to the new server.
cp old_server_root/cert-old_CA_instance/config/cert-old_CA_instance-cert7.db
/var/lib/instance_ID/alias/cert7.db
cp old_server_root/cert-old_CA_instance/config/cert-old_CA_instance-key3.db
/var/lib/instance_ID/alias/key3.db
3. As the Certificate System user account, open the new Certificate System alias/ directory.
cd /var/lib/instance_ID/alias/
12 Chapter 7. Step 4: Migrating Security
4. Log in as root, and set the file user and group to the Certificate System user and group.
su
chown user:group cert7.db
chown user:group key3.db
5. Log out as root. As the Certificate System user, set the permissions on the security database files.
chmod 00600 cert7.db
chmod 00600 key3.db
6. Use the certutil tool to list all of the old Certificate System certificates. In this example, -L lists the certificates,
and -X forces them to be read/write.
certutil -L -X -d .
Server-Cert cert-old_CA_instance cu,cu,cu
caSigningCert cert-old_CA_instance cu,cu,cu
NOTE
The certificate database is automatically converted from cert7.db to cert8.db.
7. Remove the cert7.db file from the alias/ directory.
rm cert7.db
8. Open the CS.cfg configuration file in the CA instance directory.
cd /var/lib/instance_ID/conf
vi CS.cfg
9. Modify the values for the ca.signing.cacertnickname and ca.ocsp_signing.cacertnickname at-
tributes to reflect the new CA instance.
ca.signing.cacertnickname=
caSigningCert cert-old_CA_instance
ca.ocsp_signing.cacertnickname=
caSigningCert cert-old_CA_instance
10. In the same directory, edit the serverCertNick.conf file to contain the old certificate nickname. For example:
vi serverCertNick.conf
Server-Cert cert-old_CA_instance
1.2. Case II: Security Databases to HSM Migration
1. Remove all the security databases in the new Certificate System which will receive migrated data.
rm /var/lib/instance_ID/alias/cert8.db
1.2. Case II: Security Databases to
HSM Migration
13 Chapter 7. Step 4: Migrating Security
rm /var/lib/instance_ID/alias/key3.db
2. Copy the certificate and key security databases from the old server to the new server.
cp old_server_root/cert-old_CA_instance/config/cert-old_CA_instance-cert7.db
/var/lib/instance_ID/alias/cert7.db
cp old_server_root/cert-old_CA_instance/config/cert-old_CA_instance-key3.db
/var/lib/instance_ID/alias/key3.db
3. As the Certificate System user account, open the new Certificate System's alias/ directory.
cd /var/lib/instance_ID/alias/
4. Log in as root, and set the file user and group to the user and group as whom the Certificate System runs.
su
chown user:group cert7.db
chown user:group key3.db
5. Log out as root. As the Certificate System user, set the permissions on the security database files.
chmod 00600 cert7.db
chmod 00600 key3.db
6. Use the certutil tool to list all of the old Certificate Management System certificates. In this example, -L lists the
certificates, and -X forces them to be read/write.
certutil -L -X -d .
Server-Cert cert-old_CA_instance cu,cu,cu
caSigningCert cert-old_CA_instance cu,cu,cu
NOTE
The certificate database is automatically converted from cert7.db to cert8.db.
7. Export the public/private key pairs of each entry in the Certificate System databases using the pk12util tool; -o
exports the key pairs to a PKCS #12 file, and -n sets the name of the certificate and the old database prefix.
pk12util -o ServerCert.p12 -n "Server-Cert cert-old_CA_instance" -d .
Enter Password or Pin for "NSS Certificate DB":********
Enter password for PKCS12 file: ********
Re-enter password: ********
pk12util: PKCS12 EXPORT SUCCESSFUL
pk12util -o caSigningCert.p12 -n "caSigningCert cert-old_CA_instance" -d .
Enter Password or Pin for "NSS Certificate DB":********
Enter password for PKCS12 file: ********
Re-enter password: ********
pk12util: PKCS12 EXPORT SUCCESSFUL
1.2. Case II: Security Databases to
HSM Migration
14 Chapter 7. Step 4: Migrating Security
Other manuals for CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE
2
Table of contents
Other Red Hat Software manuals
Red Hat
Red Hat NETWORK SATELLITE 5.2 - CHANNEL MANAGEMENT User manual
Red Hat
Red Hat ENTERPRISE LINUX 5 - VIRTUAL SERVER... User manual
Red Hat
Red Hat ENTERPRISE LINUX 5 - VIRTUAL SERVER... User manual
Red Hat
Red Hat ENTERPRISE LINUX 3 - STEP BY STEP GUIDE User manual
Red Hat
Red Hat ENTERPRISE LINUX 4 - DEVELOPER TOOLS GUIDE User manual
Red Hat
Red Hat NETWORK SATELLITE 5.1.1 - RELEASE NOTES Instruction Manual
Red Hat
Red Hat APPLICATION STACK 2.2 RELEASE Instruction Manual
Red Hat
Red Hat ENTERPRISE LINUX 5 - VIRTUAL SERVER... User manual
Red Hat
Red Hat NETWORK - USER 1.3 Product information sheet
Red Hat
Red Hat APPLICATION SERVER - JONAS Operation instructions
Red Hat
Red Hat CERTIFICATE SYSTEM 7.3 - ADMINISTRATION Instruction Manual
Red Hat
Red Hat ENTERPRISE LINUX 4 - DEVELOPER TOOLS GUIDE User manual
Red Hat
Red Hat CERTIFICATE 8.0 RELEASE NOTES Instruction Manual
Red Hat
Red Hat NETWORK 2.9 - MANAGEMENT User manual
Red Hat
Red Hat NETWORK 2.6 - BASIC Product information sheet
Red Hat
Red Hat ENTERPRISE LINUX 5.5 - TECHNICAL NOTES User manual
Red Hat
Red Hat ENTERPRISE 5.4 RELEASE NOTES User manual
Red Hat
Red Hat NETWORK 3.2 - PROVISIONING User manual
Red Hat
Red Hat ENTERPRISE LINUX 5 - VIRTUAL SERVER... Quick guide
Red Hat
Red Hat JBoss Developer Studio 3.0 User manual
Popular Software manuals by other brands
ACRONIS
ACRONIS BACKUP RECOVERY 10 ADVANCED WORKSTATION - COMMAND... Cli reference guide
Autodesk
Autodesk AUTOCAD PLANT 3D 2011 - SYSTEM REQUIREMENTS manual
Brother
Brother DCP-375CW Gu
Nortel
Nortel 2070 troubleshooting guide
Native Instruments
Native Instruments Retro Machines MK2 manual
Motorola
Motorola MOTONAV user guide
