Chapter 23. Migrating an OpenSSL CA to Certificate System

Red Hat Certificate System provides a mechanism to migrate an existing OpenSSL Certificate Authority (CA) to a new Certificate System CA that uses the existing CA signing key.


The migration of Certificate System 8 to 9 is a special implementation of this procedure and is described in Chapter 22, Migrating From Certificate System 8 to 9.
Depending on your environment, see:

23.1. Migrating an OpenSSL CA to Certificate System When Not Using an HSM

  1. Create a file with a password that will be used in the next step. For example:
    # echo password > ~/password.txt
  2. Import the OpenSSL CA certificate and key into a PKCS #12 file using the openssl pkcs12 command. Use the following options:
    • -export instructs the openssl command to export the data.
    • -in path_to_ca_certificate sets the path to the OpenSSL CA certificate.
    • -inkey path_to_CA_signing_key sets the path to the OpenSSL CA signing key.
    • -out path_to_PKCS_#12_file sets the path to the PKCS #12 file in which the output is stored.
    • -name "friendly_name" sets the friendly name of the certificate and key.
    • -passout file:path_to_password_file sets the path to the text file that contains the password used to encrypt the PKCS #12 file.
    For example, to export the OpenSSL CA certificate and key into the ~/ca.p12 file:
    # openssl pkcs12 -export -in ~/ca.crt -inkey ~/ca.key -out ~/ca.p12 \
         -name "CA Certificate" -passout file:~/password.txt
  3. Initialize a password protected Network Security Services (NSS) database for the Public Key Infrastructure (PKI) command-line interface. For example:
    # pki -c password client-init
  4. Set the CTu,Cu,Cu trust flags for the CA certificate with the CA Certificate nick name stored in the ~/ca.12 file using the password in the ~/password.txt file:
    # pki pkcs12-cert-mod --pkcs12-file ~/ca.p12 "CA Certificate" \
         --pkcs12-password-file ~/password.txt --trust-flags "CTu,Cu,Cu"


    Enter the trust flags without spaces.
  5. Display the CA certificate stored in the ~/ca.p12 file:
    # pki pkcs12-cert-find --pkcs12-file ~/ca.p12 \
         --pkcs12-password-file ~/password.txt
    1 entries found
      Certificate ID: 9311084d08b37d12e856b904b7e52eb3b1cece4a
      Serial Number: 0xe3f2b350edcd875c
      Nickname: CA Certificate
      Subject DN: O=Example,CN=CA Certificate
      Issuer DN: O=Example,CN=CA Certificate
      Trust Flags: CTu,Cu,Cu
      Has Key: true
  6. Display the CA signing key stored in the ~/ca.p12 file:
    # pki pkcs12-key-find --pkcs12-file ~/ca.p12 \
         --pkcs12-password-file ~/password.txt
    1 entries found
      Key ID: 9311084d08b37d12e856b904b7e52eb3b1cece4a
      Subject DN: CA Certificate
      Algorithm: RSA
  7. Copy the following files to the new Certificate System host:
    • OpenSSL CA Signing Certificate Request (CSR)
    • OpenSSL CA certificate chain (if available)
    • PKCS #12 file that contains the OpenSSL CA signing certificate and key
    • Password file used to protect the PKCS #12 file
    For example, to copy the files using secure copy:
    # scp ~/ca.csr ~/certificate_chain.p7b ~/ca.p12 ~/password.txt new_server:~/
  8. Set up the CA on the new host. For details, see Section 22.2, “Setting up the CA on the New Host”.
After the migration, you can deactivate the OpenSSL CA or run it in read-only mode, where it only responds to Online Certificate Status Protocol (OCSP) requests.