27.4. Usage

This procedure rewraps the keys stored in one Certificate System 7.1 KRA and stores them in a Certificate System 8.1 KRA. This is not the only use case; the tool can be run on the same instance as both the source and target, to rewrap existing keys, or it can be used simply to copy keys from multiple KRA instances into a single instance without rewrapping the keys at all.
  1. Prepare the new KRA instance and machine.
    1. Install and configure a new Red Hat Certificate System 8.1 KRA instance.

      Important

      Set the storage key size and type to 2048-bit and RSA.
    2. Stop the new KRA.
      [root@newkra ~]# service pki-kra stop
    3. Create a data directory to store the exported key data from the old KRA.
      [root@newkra ~]# mkdir -p /export/pki
    4. Export the public storage certificate for the new KRA to a flat file in the new data directory:
      [root@newkra ~]# certutil -L -d /var/lib/pki-kra/alias/ -n "storageCert cert-pki-kra" -a > /export/pki/newKRA.cert
    5. Stop the Directory Server instance for the new KRA, if it is on the same machine.
      >[root@newkra ~]# service dirsrv stop
    6. Export the configuration information for the new KRA.
      [root@newkra ~]# /usr/lib[64]/disrv/slapd-instanceName/db2ldif -n newkra.example.com-pki-kra -a /export/pki/newkra.ldif

      Important

      Be sure that the LDIF file contains a single, blank line at the end.
  2. Export and prepare the key data from the old KRA instance.
    1. Create a data directory to store the exported key data.
      [root@oldkra ~]# mkdir -p /export/pki
    2. Export the information from the original KRA instance using a tool like [root@oldkra ~]# db2ldif. This is done as part of the 7.1 to 8.1 migration steps in the KRA chapter of the Migration Guide.
    3. Copy the LDIF for the exported data into the data directory, and update the data file for change the archiving CA.
      [root@oldkra ~]# cp /path/to/rhcs80-pki-kra.ldif /export/pki
      
      [root@oldkra ~]# sed -i -e "s/^archivedBy: kra_trusted_agent/archivedBy: CA/g" alpha.ldif
    4. Stop all of the Certificate System servers on the machine.
    5. Copy the NSS databases to the data directory. For example, for a 7.1 KRA:
      [root@oldkra ~]# cp -p /opt/redhat-cs/alias/cert-instance-kra-cert8.db /export/pki/cert8.db
      	
      [root@oldkra ~]# cp -p /opt/redhat-cs/alias/cert-instance-kra-key3.db /export/pki/key3.db
      
      [root@oldkra ~]# cp -p /opt/redhat-cs/alias/secmod.db /export/pki/secmod.db
    6. Copy the KRATool to the machine with the old KRA instance and pull in all its dependencies. For 7.x systems, include the nsutil.jar and cmsutil.jar files (these files are already available in 8.0 systems). For example:
      [root@oldkra ~]# mkdir -p /usr/share/pki/java-tools
      
      [root@oldkra ~]# mkdir -p /usr/share/java/pki
      
      [root@oldkra ~]# cd /usr/share/java/pki
      
      [root@oldkra ~]# sftp root@newkra.example.com
      sftp> cd /usr/share/java/pki
      sftp> get nsutil.jar
      sftp> get cmsutil.jar
      sftp> get cstools.jar
      sftp> lcd /usr/share/pki/java-tools
      sftp> cd /usr/share/pki/java-tools
      sftp> get KRATool.cfg
      sftp> lcd /usr/bin
      sftp> cd /usr/bin
      sftp> get KRATool
      sftp> quit

      Important

      The machine must have Java 1.6.0 installed.
    7. For 7.1 KRAs. Create a symlink from the older ldapjdk.jar file to the new 8.x location.
      [root@oldkra ~]# ln -s /opt/redhat-cs/bin/cert/jars/ldapjdk.jar /usr/share/java/ldapjdk.jar
    8. Open the data directory.
      [root@oldkra ~]#cd /export/pki
    9. Copy the file with the public storage key from the new KRA machine to the old KRA machine. For example:
      [root@oldkra ~]# sftp root@newkra.example.com
      sftp> cd /export/pki
      sftp> get newKRA.cert
      sftp> quit
    10. If necessary, edit the default KRATool.cfg file to use with the tool. The default file can also be used without changes.
    11. Run the KRATool; all of these parameters should be on a single line.
      [root@oldkra ~]# KRATool -kratool_config_file "/usr/share/pki/java-tools/KRATool.cfg"
              -source_ldif_file /export/pki/rhcs80-pki-kra.ldif
              -target_ldif_file /export/pki/old2newKRA.ldif
              -log_file /export/pki/kratool.log
              -source_pki_security_database_path /export/pki
              -source_storage_token_name 'Internal Key Storage Token'
              -source_storage_certificate_nickname 'storageCert cert-pki-kra'
              -target_storage_certificate_file /export/pki/newKRA.cert
              -append_id_offset 100000000000
              -source_kra_naming_context "oldkra.example.com-pki-kra"
              -target_kra_naming_context "newkra.example.com-pki-kra"
              -process_requests_and_key_records_only
      The command prompts for the password to the token stored in the original databases.
      When it is done, the command creates the file specified in -target_ldif_file, old2newKRA.ldif.
    12. Copy the LDIF file over to the new KRA machine. For example:
      [root@oldkra ~]# scp /export/pki/old2newKRA.ldif root@newkra.example.com:/export/pki

      Important

      Be sure that the LDIF file contains a single, blank line at the end.
  3. If multiple KRA instances are being merged, then their data can be merged into a single import operation. Perform step 2 for every KRA which will be merged.
    Specify unique values for the -target_ldif_file to create separate LDIF files, and specify unique -append_id_offset values so that there are no collisions when the LDIF files are concatenated.
  4. On the new KRA machine, import the LDIF file with the old key data.
    1. Open the data directory.
      [root@newkra ~]# cd /export/pki
    2. Concatenate the new KRA configuration LDIF file and every exported LDIF for the old KRA instances. For example:
      [root@newkra ~]# cat newkra.ldif old2newKRA.ldif > combined.ldif
    3. Import the LDIF into the Directory Server database for the Certificate System 8.1 KRA instance.
      [root@newkra ~]# /usr/lib[64]/disrv/slapd-instanceName/ldif2db -n newkra.example.com-pki-kra -i /export/pki/combined.ldif
    4. Start the Directory Server instance for the new KRA.
      [root@newkra ~]# service dirsrv start
    5. Start the new KRA.
      [root@newkra ~]# service pki-kra start