Show Table of Contents
Chapter 23. Migrating an OpenSSL CA to Certificate System
Red Hat Certificate System provides a mechanism to migrate an existing OpenSSL Certificate Authority (CA) to a new Certificate System CA that uses the existing CA signing key.
The migration of Certificate System 8 to 9 is a special implementation of this procedure and is described in Chapter 22, Migrating From Certificate System 8 to 9.
Depending on your environment, see:
23.1. Migrating an OpenSSL CA to Certificate System When Not Using an HSM
- Create a file with a password that will be used in the next step. For example:
# echo password > ~/password.txt
- Import the OpenSSL CA certificate and key into a PKCS #12 file using the
openssl pkcs12command. Use the following options:
For example, to export the OpenSSL CA certificate and key into the
opensslcommand to export the data.
-in path_to_ca_certificatesets the path to the OpenSSL CA certificate.
-inkey path_to_CA_signing_keysets the path to the OpenSSL CA signing key.
-out path_to_PKCS_#12_filesets the path to the PKCS #12 file in which the output is stored.
-name "friendly_name"sets the friendly name of the certificate and key.
-passout file:path_to_password_filesets the path to the text file that contains the password used to encrypt the PKCS #12 file.
# openssl pkcs12 -export -in ~/ca.crt -inkey ~/ca.key -out ~/ca.p12 \ -name "CA Certificate" -passout file:~/password.txt
- Initialize a password protected Network Security Services (NSS) database for the Public Key Infrastructure (PKI) command-line interface. For example:
# pki -c password client-init
- Set the
CTu,Cu,Cutrust flags for the CA certificate with the
CA Certificatenick name stored in the
~/ca.12file using the password in the
# pki pkcs12-cert-mod --pkcs12-file ~/ca.p12 "CA Certificate" \ --pkcs12-password-file ~/password.txt --trust-flags "CTu,Cu,Cu"
ImportantEnter the trust flags without spaces.
- Display the CA certificate stored in the
# pki pkcs12-cert-find --pkcs12-file ~/ca.p12 \ --pkcs12-password-file ~/password.txt --------------- 1 entries found -------------- Certificate ID: 9311084d08b37d12e856b904b7e52eb3b1cece4a Serial Number: 0xe3f2b350edcd875c Nickname: CA Certificate Subject DN: O=Example,CN=CA Certificate Issuer DN: O=Example,CN=CA Certificate Trust Flags: CTu,Cu,Cu Has Key: true
- Display the CA signing key stored in the
# pki pkcs12-key-find --pkcs12-file ~/ca.p12 \ --pkcs12-password-file ~/password.txt --------------- 1 entries found --------------- Key ID: 9311084d08b37d12e856b904b7e52eb3b1cece4a Subject DN: CA Certificate Algorithm: RSA
- Copy the following files to the new Certificate System host:
For example, to copy the files using secure copy:
- OpenSSL CA Signing Certificate Request (CSR)
- OpenSSL CA certificate chain (if available)
- PKCS #12 file that contains the OpenSSL CA signing certificate and key
- Password file used to protect the PKCS #12 file
# scp ~/ca.csr ~/certificate_chain.p7b ~/ca.p12 ~/password.txt new_server:~/
- Set up the CA on the new host. For details, see Section 22.2, “Setting up the CA on the New Host”.
After the migration, you can deactivate the OpenSSL CA or run it in read-only mode, where it only responds to Online Certificate Status Protocol (OCSP) requests.