14.2. Upgrading the CA Database

To upgrade the certificate authority (CA) database:
  1. Upgrade the container entries:
    # ldapmodify -D "cn=Directory Manager" -W -h server.example.com -p 389 -x
    dn: ou=authorities,ou=ca,CA_base_DN
    changetype: add
    objectClass: top
    objectClass: organizationalUnit
    ou: authorities
  2. Upgrade the access control list (ACL) entries:
    # ldapmodify -D "cn=Directory Manager" -W -h server.example.com -p 389 -x
    dn: cn=aclResources,CA_base_DN
    changetype: modify
    add: resourceACLS
    resourceACLS: certServer.ca.authorities:list,read:allow (list,read)
     user="anybody":Anybody may list and read lightweight authorities
    resourceACLS: certServer.ca.authorities:create,modify:allow
     (create,modify) group="Administrators":Administrators may create
     and modify lightweight authorities resourceACLS:
     certServer.ca.authorities:delete:allow (delete)
     group="Administrators":Administrators may delete lightweight
     authorities
  3. Upgrade the database indexes:
    # ldapmodify -D "cn=Directory Manager" -W -h server.example.com -p 389 -x
    dn: cn=issuername,cn=index,cn=CA_database_name,cn=ldbm database,
     cn=plugins, cn=config
    changetype: add
    objectClass: top
    objectClass: nsIndex
    nsindexType: eq
    nsindexType: pres
    nsindexType: sub
    nsSystemindex: false
    cn: issuername
  4. Add the realm attribute:
    # ldapmodify -D "cn=Directory Manager" -W -h server.example.com -p 389 -x
    dn: cn=schema
    changetype: modify
    add: attributeTypes
    attributeTypes: ( realm-oid NAME 'realm' DESC 'CMS defined attribute'
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' )
    
    delete: objectClasses
    objectClasses: ( request-oid NAME 'request' DESC 'CMS defined class'
     SUP top STRUCTURAL MUST cn MAY ( requestId $ dateOfCreate $
     dateOfModify $ requestState $ requestResult $ requestOwner $
     requestAgentGroup $ requestSourceId $ requestType $ requestFlag $
     requestError $ userMessages $ adminMessages ) X-ORIGIN 'user defined' )
    
    add: objectClasses
    objectClasses: ( request-oid NAME 'request' DESC 'CMS defined class'
     SUP top STRUCTURAL MUST cn MAY ( requestId $ dateOfCreate $
     dateOfModify $ requestState $ requestResult $ requestOwner $
     requestAgentGroup $ requestSourceId $ requestType $ requestFlag $
     requestError $ userMessages $ adminMessages $ realm ) X-ORIGIN 'user
     defined' )
  5. Remove the certificate validity delay:
    1. In the /var/lib/pki/instance_name/ca/profiles/ca/caDualCert.cfg file, set:
      policyset.signingCertSet.2.default.params.startTime=0
    2. In the /var/lib/pki/instance_name/ca/profiles/ca/caECDualCert.cfg file, set:
      policyset.signingCertSet.2.default.params.startTime=0
    3. In the /var/lib/pki/instance_name/ca/profiles/ca/caDualCert.cfg file, set:
      policyset.signingCertSet.2.default.params.startTime=0
    4. In the /var/lib/pki/instance_name/ca/profiles/ca/caJarSigningCert.cfg file, set:
      policyset.caJarSigningSet.2.default.params.startTime=0
    5. In the /var/lib/pki/instance_name/ca/profiles/ca/caSignedLogCert.cfg file, set:
      policyset.caLogSigningSet.2.default.params.startTime=0
  6. Add the issuerName attribute to certificate records:
    # pki-server db-upgrade
  7. Update the attribute syntax to allow underscores in instance names:
    # ldapmodify -D "cn=Directory Manager" -W -h server.example.com -p 389 -x
    dn: cn=schema
    changetype: modify
    delete: objectClasses
    objectClasses: ( authority-oid NAME 'authority' DESC 'Certificate
     Authority' SUP top STRUCTURAL MUST ( cn $ authorityID
     $ authorityKeyNickname $ authorityEnabled $ authorityDN ) MAY
     ( authoritySerial $ authorityParentID $ authorityParentDN $
     authorityKeyHost $ description ) X-ORIGIN 'user defined' )
    
    delete: attributeTypes
    attributeTypes: ( authorityKeyNickname-oid NAME
     'authorityKeyNickname' DESC 'Authority key nickname' SYNTAX
     1.3.6.1.4.1.1466.115.121.1.44 SINGLE-VALUE X-ORIGIN
     'user-defined' )
    
    add: attributeTypes
    attributeTypes: ( authorityKeyNickname-oid NAME
     'authorityKeyNickname' DESC 'Authority key nickname'
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE
     X-ORIGIN 'user-defined' )
    
    add: objectClasses
    objectClasses: ( authority-oid NAME 'authority' DESC
     'Certificate Authority' SUP top STRUCTURAL MUST ( cn
     $ authorityID $ authorityKeyNickname $ authorityEnabled
     $ authorityDN ) MAY ( authoritySerial $ authorityParentID
     $ authorityParentDN $ authorityKeyHost $ description )
     X-ORIGIN 'user defined' )