Chapter 18. Migrating From Certificate System 8 to 9

Red Hat Certificate System does not support in-place upgrades from an older major version, such as from 8.2 to 9. For major version upgrades, you must migrate the old instance. Additionally, you can use the same procedure to create a copy of your production environment for testing and debugging purposes.

Important

Before migrating, read the Red Hat Certificate System Release Notes.
A Certificate System migration requires the following steps:
  1. Section 18.1, “Exporting Data from the Previous System”
  2. Section 18.2, “Setting up the CA on the New Host”
  3. Section 18.3, “Importing the Data into the New CA”
  4. Section 18.4, “Reassigning Users to Default Groups”

18.1. Exporting Data from the Previous System

Before you set up the new Certificate System instance, export the data of the current certificate authority (CA).
On the host that runs the Certificate System instance:
  1. Create a directory for the files to export. For example: 
    # mkdir -m 770 /tmp/cs_bak/
  2. Export the signing certificate and key:
    • When using a hardware security module (HSM):
      1. List the CA signing certificate nickname. For example: 
        # certutil -L -d /var/lib/instance_name/alias/ | grep "caSigningCert"
caSigningCert ca-pki-ca          CTu,Cu,Cu
      2. Export the CA certificate: 
        # certutil -L -d /var/lib/instance_name/alias/ \
     -n "caSigningCert ca-pki-ca" \
     -a > /tmp/cs_bak/ca_signing.crt
        The key is stored in the HSM and must be available to the new instance.
    • When not using an HSM:
      1. In the configuration file, find the password that protects the CA Network Security Service (NSS) database, and write it to a file:
        • If the password is stored in the /var/lib/instance_name/conf/password.conf file: 
          # grep "internal=" /var/lib/instance_name/conf/password.conf | \
     awk -F= '{print $2;}' > /tmp/cs_bak/nss_password.txt
        • If the password is stored in the /etc/instance_name/password.conf file: 
          # grep "internal=" /etc/instance_name/password.conf | \
     awk -F= '{print $2;}' > /tmp/cs_bak/nss_password.txt
      2. Create a file with a password that will be used in the next step. For example: 
        # echo Secret123 > /tmp/cs_bak/pkcs12_password.txt
      3. Export the signing certificate and key: 
        # PKCS12Export -d /var/lib/instance_name/alias/ \
     -p /tmp/cs_bak/nss_password.txt \
     -w /tmp/cs_bak/pkcs12_password.txt \
     -o /tmp/cs_bak/ca.p12
  3. Export the certificate signing request (CSR):
    • If the CSR is stored in the /etc/instance_name/CS.cfg file: 
      # echo "-----BEGIN NEW CERTIFICATE REQUEST-----" > /tmp/cs_bak/ca_signing.csr

# sed -n "/^ca.signing.certreq=/ s/^[^=]*=// p" /etc/instance_name/ca/CS.cfg \
     >> /tmp/cs_bak/ca_signing.csr

# echo "-----END NEW CERTIFICATE REQUEST-----" >> /tmp/cs_bak/ca_signing.csr
    • If the CSR is stored in the /var/lib/instance_name/conf/CS.cfg file: 
      # echo "-----BEGIN NEW CERTIFICATE REQUEST-----" > /tmp/cs_bak/ca_signing.csr

# sed -n "/^ca.signing.certreq=/ s/^[^=]*=// p" /var/lib/instance_name/conf/CS.cfg \
     >> /tmp/cs_bak/ca_signing.csr

# echo "-----END NEW CERTIFICATE REQUEST-----" >> /tmp/cs_bak/ca_signing.csr
  4. If the CA is an intermediate CA, extract the root CA or certificate chain from the NSS database: 
    # certutil -L -d /var/lib/instance_name/alias/ -n "root_CA_nickname" \
     -a > /tmp/cs_bak/ca_rootca_signing.crt
  5. Copy the directory that contains the exported files to the new server. For example: 
    # scp -r /tmp/cs_bak/ new_server:/tmp/
On the host that runs the Directory Server instance:
  1. Create a directory for the files to export, and grant write permissions to the Directory Server user. For example: 
    # mkdir -m 770 /tmp/ds_bak/
# chown root:dirsrv /tmp/ds_bak/
  2. Export the Directory Server database: 
    # db2ldif -Z DS_instance_name -n "CS_database_name" -a /tmp/ds_bak/old_ca.ldif
    In the example:
    • DS_instance_name sets the Directory Server instance name. For example: slapd-host_name.
    • CS_database_name sets the Certificate System CA database name used in Directory Server. For example: host_name-CS_instance_name.

    Note

    The db2ldif command runs under the Directory Server user. Therefore the destination directory must be writable by this user.
  3. Copy the directory that contains the exported files to the new server. For example: 
    # scp -r /tmp/ds_bak/ new_server:/tmp/