Show Table of Contents
Chapter 19. Migrating an OpenSSL CA to Certificate System
Red Hat Certificate System provides a mechanism to migrate an existing OpenSSL Certificate Authority (CA) to a new Certificate System CA that uses the existing CA signing key.
Note
The migration of Certificate System 8 to 9 is a special implementation of this procedure and is described in Chapter 18, Migrating From Certificate System 8 to 9.
Depending on your environment, see:
19.1. Migrating an OpenSSL CA to Certificate System When Not Using an HSM
- Create a file with a password that will be used in the next step. For example:
# echo password > ~/password.txt
- Import the OpenSSL CA certificate and key into a PKCS #12 file using the
openssl pkcs12command. Use the following options:-exportinstructs theopensslcommand to export the data.-in path_to_ca_certificatesets the path to the OpenSSL CA certificate.-inkey path_to_CA_signing_keysets the path to the OpenSSL CA signing key.-out path_to_PKCS_#12_filesets the path to the PKCS #12 file in which the output is stored.-name "friendly_name"sets the friendly name of the certificate and key.-passout file:path_to_password_filesets the path to the text file that contains the password used to encrypt the PKCS #12 file.
For example, to export the OpenSSL CA certificate and key into the~/ca.p12file:# openssl pkcs12 -export -in ~/ca.crt -inkey ~/ca.key -out ~/ca.p12 \ -name "CA Certificate" -passout file:~/password.txt - Initialize a password protected Network Security Services (NSS) database for the Public Key Infrastructure (PKI) command-line interface. For example:
# pki -c password client-init
- Set the
CTu,Cu,Cutrust flags for the CA certificate with theCA Certificatenick name stored in the~/ca.12file using the password in the~/password.txtfile:# pki pkcs12-cert-mod --pkcs12-file ~/ca.p12 "CA Certificate" \ --pkcs12-password-file ~/password.txt --trust-flags "CTu,Cu,Cu"Important
Enter the trust flags without spaces. - Display the CA certificate stored in the
~/ca.p12file:# pki pkcs12-cert-find --pkcs12-file ~/ca.p12 \ --pkcs12-password-file ~/password.txt --------------- 1 entries found -------------- Certificate ID: 9311084d08b37d12e856b904b7e52eb3b1cece4a Serial Number: 0xe3f2b350edcd875c Nickname: CA Certificate Subject DN: O=Example,CN=CA Certificate Issuer DN: O=Example,CN=CA Certificate Trust Flags: CTu,Cu,Cu Has Key: true - Display the CA signing key stored in the
~/ca.p12file:# pki pkcs12-key-find --pkcs12-file ~/ca.p12 \ --pkcs12-password-file ~/password.txt --------------- 1 entries found --------------- Key ID: 9311084d08b37d12e856b904b7e52eb3b1cece4a Subject DN: CA Certificate Algorithm: RSA - Copy the following files to the new Certificate System host:
- OpenSSL CA Signing Certificate Request (CSR)
- OpenSSL CA certificate chain (if available)
- PKCS #12 file that contains the OpenSSL CA signing certificate and key
- Password file used to protect the PKCS #12 file
For example, to copy the files using secure copy:# scp ~/ca.csr ~/certificate_chain.p7b ~/ca.p12 ~/password.txt new_server:~/
- Set up the CA on the new host. For details, see Section 18.2, “Setting up the CA on the New Host”.
After the migration, you can deactivate the OpenSSL CA or run it in read-only mode, where it only responds to Online Certificate Status Protocol (OCSP) requests.
Where did the comment section go?
Red Hat's documentation publication system recently went through an upgrade to enable speedier, more mobile-friendly content. We decided to re-evaluate our commenting platform to ensure that it meets your expectations and serves as an optimal feedback mechanism. During this redesign, we invite your input on providing feedback on Red Hat documentation via the discussion platform.